VeraCrypt/src/Crypto/chachaRng.c

/*	$OpenBSD: arc4random.c,v 1.54 2015/09/13 08:31:47 guenther Exp $	*/

/*
 * Copyright (c) 1996, David Mazieres <dm@uun.org>
 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * ChaCha based random number generator for OpenBSD.
 */

/*
 * Adapted for VeraCrypt
 */

#include "chachaRng.h"
#include "cpu.h"
#include "misc.h"
#include <string.h>

static VC_INLINE void ChaCha20RngReKey (ChaCha20RngCtx* pCtx, int useCallBack)
{
	/* fill rs_buf with the keystream */
	if (pCtx->m_rs_have)
		memset(pCtx->m_rs_buf + sizeof(pCtx->m_rs_buf) - pCtx->m_rs_have, 0, pCtx->m_rs_have);
	ChaCha256Encrypt(&pCtx->m_chachaCtx, pCtx->m_rs_buf, sizeof (pCtx->m_rs_buf),
	    pCtx->m_rs_buf);
	/* mix in optional user provided data */
	if (pCtx->m_getRandSeedCallback && useCallBack) {
		unsigned char dat[CHACHA20RNG_KEYSZ + CHACHA20RNG_IVSZ];
		size_t i;

		pCtx->m_getRandSeedCallback (dat, sizeof (dat));

		for (i = 0; i < (CHACHA20RNG_KEYSZ + CHACHA20RNG_IVSZ); i++)
			pCtx->m_rs_buf[i] ^= dat[i];

		burn (dat, sizeof(dat));
	}

	/* immediately reinit for backtracking resistance */
	ChaCha256Init (&pCtx->m_chachaCtx, pCtx->m_rs_buf, pCtx->m_rs_buf + CHACHA20RNG_KEYSZ, 20);
	memset(pCtx->m_rs_buf, 0, CHACHA20RNG_KEYSZ + CHACHA20RNG_IVSZ);
	pCtx->m_rs_have = sizeof (pCtx->m_rs_buf) - CHACHA20RNG_KEYSZ - CHACHA20RNG_IVSZ;
}

static VC_INLINE void ChaCha20RngStir(ChaCha20RngCtx* pCtx)
{
	ChaCha20RngReKey (pCtx, 1);

	/* invalidate rs_buf */
	pCtx->m_rs_have = 0;
	memset(pCtx->m_rs_buf, 0, CHACHA20RNG_RSBUFSZ);

	pCtx->m_rs_count = 1600000;
}

static VC_INLINE void ChaCha20RngStirIfNeeded(ChaCha20RngCtx* pCtx, size_t len)
{
	if (pCtx->m_rs_count <= len) {
		ChaCha20RngStir(pCtx);
	} else
		pCtx->m_rs_count -= len;
}

void ChaCha20RngInit (ChaCha20RngCtx* pCtx, const unsigned char* key, GetRandSeedFn rngSeedCallback, size_t InitialBytesToSkip)
{
	ChaCha256Init (&pCtx->m_chachaCtx, key, key + 32, 20);
	pCtx->m_getRandSeedCallback = rngSeedCallback;

	/* fill rs_buf with the keystream */
	pCtx->m_rs_have = 0;
	memset (pCtx->m_rs_buf, 0, sizeof (pCtx->m_rs_buf));
	pCtx->m_rs_count = 1600000;

	ChaCha20RngReKey(pCtx, 0);	

	if (InitialBytesToSkip)
		ChaCha20RngGetBytes (pCtx, NULL, InitialBytesToSkip);
}

void ChaCha20RngGetBytes (ChaCha20RngCtx* pCtx, unsigned char* buffer, size_t bufferLen)
{
	unsigned char *buf = (unsigned char*) buffer;
	unsigned char* keystream;
	size_t m;

	ChaCha20RngStirIfNeeded(pCtx, bufferLen);

	while (bufferLen > 0) {
		if (pCtx->m_rs_have > 0) {
			m = VC_MIN(bufferLen, pCtx->m_rs_have);
			keystream = pCtx->m_rs_buf + sizeof(pCtx->m_rs_buf) - pCtx->m_rs_have;
			if (buf)
			{
				memcpy(buf, keystream, m);
				buf += m;
			}
			memset(keystream, 0, m);
			bufferLen -= m;
			pCtx->m_rs_have -= m;
		}
		if (pCtx->m_rs_have == 0)
			ChaCha20RngReKey (pCtx, 0);
	}
}