ESP output was drawing down the entropy pool at a ferocious rate, a

particular problem on hosts with only wireless interfaces that are definitely not safe to use as entropy sources. Add arc4randbytes() which hands out bytes from the same source used by arc4random(). This is intended to be a _temporary_ interface until we can design and implement a better general PRNG interface that is decoupled from the entropy-pool implementation. Modify key_randomfill() (used only for initialization vectors on SA creation and via key_sa_stir_iv(), which does not "stir", despite its name) to use arc4randbytes() instead of pulling bits directly from the entropy pool. It is my hope that this change will pose minimal integration problems for the KAME folks as the random-pool interface is *already* different between each BSD variant; this just simplifies the NetBSD case and solves a fairly serious problem. Note that it is generally considered acceptable cryptographic practice to use a fast stream cipher to generate IVs for encryption with stronger block ciphers. For example, the use of "non-Approved" PRNGs to generate IVs for "Approved" block ciphers is explicitly sanctioned by FIPS 140-2.
2002-10-06 08:51:44 +00:00 · 2002-10-06 08:51:44 +00:00 · 0f95ec4fd5
parent cd114adca5
commit 0f95ec4fd5
3 changed files with 30 additions and 21 deletions
--- a/sys/lib/libkern/arc4random.c
+++ b/sys/lib/libkern/arc4random.c
@ -1,4 +1,4 @@
-/*	$NetBSD: arc4random.c,v 1.7 2002/10/06 06:47:40 tls Exp $	*/
+/*	$NetBSD: arc4random.c,v 1.8 2002/10/06 08:51:44 tls Exp $	*/

 /*-
 * Copyright (c) 2002 The NetBSD Foundation, Inc.
@ -199,3 +199,19 @@ arc4random(void)
 	for(i = 0, ret = 0; i < 24; ret |= arc4_randbyte() << i, i += 8);
 	return ret;
 }
+
+void
+arc4randbytes(void *p, size_t len)
+{
+    u_int8_t *buf;
+    size_t i;
+
+    buf = (u_int8_t *)p;
+
+    for(i = 0; i < len; buf[i] = arc4_randbyte(), i++);
+    arc4_numruns += len / sizeof(u_int32_t);
+    if((arc4_numruns > ARC4_MAXRUNS) ||
+	(mono_time.tv_sec > arc4_tv_nextreseed.tv_sec)) {
+		arc4_randrekey();
+	}
+}
--- a/sys/lib/libkern/libkern.h
+++ b/sys/lib/libkern/libkern.h
@ -1,4 +1,4 @@
-/*	$NetBSD: libkern.h,v 1.45 2002/10/04 18:39:52 junyoung Exp $	*/
+/*	$NetBSD: libkern.h,v 1.46 2002/10/06 08:51:44 tls Exp $	*/

 /*-
 * Copyright (c) 1992, 1993
@ -279,6 +279,7 @@ void	*memchr __P((const void *, int, size_t));
 void	*memmove __P((void *, const void *, size_t));
 int	 pmatch __P((const char *, const char *, const char **));
 u_int32_t arc4random __P((void));
+void	 arc4randbytes __P((void *, size_t));
 u_long	 random __P((void));
 int	 scanc __P((u_int, const u_char *, const u_char *, int));
 int	 skpc __P((int, size_t, u_char *));
--- a/sys/netkey/key.c
+++ b/sys/netkey/key.c
@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.77 2002/10/04 05:45:22 itojun Exp $	*/
+/*	$NetBSD: key.c,v 1.78 2002/10/06 08:51:46 tls Exp $	*/
 /*	$KAME: key.c,v 1.249 2002/06/14 14:46:22 itojun Exp $	*/

 /*
@ -35,7 +35,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.77 2002/10/04 05:45:22 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.78 2002/10/06 08:51:46 tls Exp $");

 #include "opt_inet.h"
 #include "opt_ipsec.h"
@ -4251,27 +4251,19 @@ key_randomfill(p, l)
 	void *p;
 	size_t l;
 {
-	size_t n;
-	u_long v;
 	static int warn = 1;

-	n = 0;
 #if NRND > 0
-	n = rnd_extract_data(p, l, RND_EXTRACT_ANY);
-#endif
-	/* last resort */
-	while (n < l) {
-		v = random();
-		bcopy(&v, (u_int8_t *)p + n,
-		    l - n < sizeof(v) ? l - n : sizeof(v));
-		n += sizeof(v);
-
-		if (warn) {
-			printf("WARNING: pseudo-random number generator "
-			    "used for IPsec processing\n");
-			warn = 0;
-		}
+	arc4randbytes(p, l);
+	warn = 0;
+#else
+	/* the arc4 generator is keyed with junk. */
+	if (warn) {
+		printf("WARNING: pseudo-random number generator "
+		    "used for IPsec processing\n");
+		warn = 0;
 	}
+#endif
 }

 /*