svn commit: r249035 - head/lib/libc/stdlib

Thu Apr 4 07:19:02 UTC 2013

On 04.04.2013 9:24, Xin Li wrote:
> True, but keep mind that neither random(3) nor rand(3) is intended to
> satisfy cryptographically secure needs, and I don't see a reason why
> kernel arc4 can not be improved.

Danger level here is not to get something cryptographically less secure,
but even much probability to get the same sequence after boot.

> To be honest, I don't personally have access to the archive (nor I'm
> aware there was one, the arc4 change you are talking about may predate
> my membership on secteam@ by the way).
> 
> How about sending the patch again and let's see how we can work it out?

Ok, patches are attached, one with atomic, and another one - without.
They try to reseed arc4 immediately after we have enough of entropy.
Only one of them is needed, not both. Atomic version works 100% right
and non-atomic may cause chained arc4 reseed in edge case, which not
harms arc4 itself, just takes time.

-------------- next part --------------

--- sys/libkern.h.old	2012-01-16 07:15:12.000000000 +0400
+++ sys/libkern.h	2012-01-28 08:49:19.000000000 +0400
@@ -70,6 +70,11 @@ static __inline int abs(int a) { return 
 static __inline long labs(long a) { return (a < 0 ? -a : a); }
 static __inline quad_t qabs(quad_t a) { return (a < 0 ? -a : a); }
 
+#define	ARC4_ENTR_NONE	0	/* Don't have entropy yet. */
+#define	ARC4_ENTR_HAVE	1	/* Have entropy. */
+#define	ARC4_ENTR_SEED	2	/* Reseeding. */
+extern int arc4rand_iniseed_state;
+
 /* Prototypes for non-quad routines. */
 struct malloc_type;
 uint32_t arc4random(void);
--- dev/random/randomdev_soft.c.old	2011-03-02 01:42:19.000000000 +0300
+++ dev/random/randomdev_soft.c	2012-01-28 08:48:22.000000000 +0400
@@ -366,6 +366,8 @@ random_yarrow_unblock(void)
 		selwakeuppri(&random_systat.rsel, PUSER);
 		wakeup(&random_systat);
 	}
+	(void)atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_NONE,
+	    ARC4_ENTR_HAVE);
 }
 
 static int
--- libkern/arc4random.c.old	2008-08-08 01:51:09.000000000 +0400
+++ libkern/arc4random.c	2012-01-28 08:51:12.000000000 +0400
@@ -24,6 +24,8 @@ __FBSDID("$FreeBSD: src/sys/libkern/arc4
 #define	ARC4_RESEED_SECONDS 300
 #define	ARC4_KEYBYTES (256 / 8)
 
+int arc4rand_iniseed_state = ARC4_ENTR_NONE;
+
 static u_int8_t arc4_i, arc4_j;
 static int arc4_numruns = 0;
 static u_int8_t arc4_sbox[256];
@@ -130,7 +132,8 @@ arc4rand(void *ptr, u_int len, int resee
 	struct timeval tv;
 
 	getmicrouptime(&tv);
-	if (reseed || 
+	if (atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE,
+	    ARC4_ENTR_SEED) || reseed ||
 	   (arc4_numruns > ARC4_RESEED_BYTES) ||
 	   (tv.tv_sec > arc4_t_reseed))
 		arc4_randomstir();

-------------- next part --------------
--- sys/libkern.h.bak	2012-01-16 07:15:12.000000000 +0400
+++ sys/libkern.h	2012-01-25 17:31:49.000000000 +0400
@@ -72,6 +72,7 @@ static __inline quad_t qabs(quad_t a) { 
 
 /* Prototypes for non-quad routines. */
 struct malloc_type;
+extern int arc4rand_iniseed_state;
 uint32_t arc4random(void);
 void	 arc4rand(void *ptr, u_int len, int reseed);
 int	 bcmp(const void *, const void *, size_t);
--- dev/random/randomdev_soft.c.bak	2011-03-02 01:42:19.000000000 +0300
+++ dev/random/randomdev_soft.c	2012-01-25 17:28:19.000000000 +0400
@@ -366,6 +366,8 @@ random_yarrow_unblock(void)
 		selwakeuppri(&random_systat.rsel, PUSER);
 		wakeup(&random_systat);
 	}
+	if (arc4rand_iniseed_state == 0)
+		arc4rand_iniseed_state = 1;
 }
 
 static int
--- libkern/arc4random.c.bak	2008-08-08 01:51:09.000000000 +0400
+++ libkern/arc4random.c	2012-01-25 17:30:30.000000000 +0400
@@ -24,6 +24,8 @@ __FBSDID("$FreeBSD: src/sys/libkern/arc4
 #define	ARC4_RESEED_SECONDS 300
 #define	ARC4_KEYBYTES (256 / 8)
 
+int arc4rand_iniseed_state = 0;
+
 static u_int8_t arc4_i, arc4_j;
 static int arc4_numruns = 0;
 static u_int8_t arc4_sbox[256];
@@ -74,6 +76,8 @@ arc4_randomstir (void)
 	/* Reset for next reseed cycle. */
 	arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
 	arc4_numruns = 0;
+	if (arc4rand_iniseed_state == 1)
+		arc4rand_iniseed_state = -1;
 
 	/*
 	 * Throw away the first N words of output, as suggested in the
@@ -130,7 +134,7 @@ arc4rand(void *ptr, u_int len, int resee
 	struct timeval tv;
 
 	getmicrouptime(&tv);
-	if (reseed || 
+	if (reseed || arc4rand_iniseed_state == 1 ||
 	   (arc4_numruns > ARC4_RESEED_BYTES) ||
 	   (tv.tv_sec > arc4_t_reseed))
 		arc4_randomstir();

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20130404/2a87e7b9/attachment.sig>
