diff options
| author |   otto <otto@openbsd.org> | 2008-03-16 19:47:43 +0000 |
|---|---|---|
| committer | otto <otto@openbsd.org> | 2008-03-16 19:47:43 +0000 |
| commit | f7b5bfc7f04e8d73cac5bdb11597072d7f605db7 (patch) | |
| tree | 9f28fc92da17658496afe0b5879efc12c35f9980 /lib/libc/crypt/arc4random.c | |
| parent | indent (diff) | |
| download | wireguard-openbsd-f7b5bfc7f04e8d73cac5bdb11597072d7f605db7.tar.xz wireguard-openbsd-f7b5bfc7f04e8d73cac5bdb11597072d7f605db7.zip | |
diff from djm@ committed at his request:
introduce two new APIs for requesting strong random numbers:
arc4random_buf() - fill an arbitrary memory range with random numbers
arc4random_uniform() - return a uniformly distributed random number
below
a specified upper bound, avoiding the bias that comes from a naive
"arc4random() % upper_bound" construction.
these mirror similarly-named functions in the kernel;
lots of discussion deraadt@ mcbride@
Diffstat (limited to 'lib/libc/crypt/arc4random.c')
| -rw-r--r-- | lib/libc/crypt/arc4random.c | 64 |
1 files changed, 63 insertions, 1 deletions
diff --git a/lib/libc/crypt/arc4random.c b/lib/libc/crypt/arc4random.c index 8604548f3fc..bbe42bd204d 100644 --- a/lib/libc/crypt/arc4random.c +++ b/lib/libc/crypt/arc4random.c @@ -1,7 +1,8 @@ -/* $OpenBSD: arc4random.c,v 1.17 2008/01/01 00:43:39 kurt Exp $ */ +/* $OpenBSD: arc4random.c,v 1.18 2008/03/16 19:47:43 otto Exp $ */ /* * Copyright (c) 1996, David Mazieres <dm@uun.org> + * Copyright (c) 2008, Damien Miller <djm@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -34,6 +35,7 @@ */ #include <fcntl.h> +#include <limits.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> @@ -188,6 +190,66 @@ arc4random(void) return val; } +void +arc4random_buf(void *_buf, size_t n) +{ + u_char *buf = (u_char *)_buf; + _ARC4_LOCK(); + if (!rs_initialized || arc4_stir_pid != getpid()) + arc4_stir(); + while (n--) { + if (--arc4_count <= 0) + arc4_stir(); + buf[n] = arc4_getbyte(); + } + _ARC4_UNLOCK(); +} + +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +u_int32_t +arc4random_uniform(u_int32_t upper_bound) +{ + u_int32_t r, min; + + if (upper_bound < 2) + return 0; + +#if (ULONG_MAX > 0xffffffffUL) + min = 0x100000000UL % upper_bound; +#else + /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ + if (upper_bound > 0x80000000) + min = 1 + ~upper_bound; /* 2**32 - upper_bound */ + else { + /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ + min = ((0xffffffff - (upper_bound << 2)) + 1) % upper_bound; + } +#endif + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = arc4random(); + if (r >= min) + break; + } + + return r % upper_bound; +} + #if 0 /*-------- Test code for i386 --------*/ #include <stdio.h> |