Lines Matching +full:no +full:- +full:chacha
3 /*-
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
34 * ChaCha20 PRF, with per-thread state.
37 * - An attacker who sees some outputs cannot predict past or future
39 * - An attacker who sees the PRNG state cannot predict past outputs.
40 * - An attacker who sees a child's PRNG state cannot predict past or
45 * (a) the crypto self-test fails,
49 * The crypto self-test, pthread_atfork, and thr_keycreate occur only
87 * For standard ChaCha, use le32dec/le32enc. We don't need that for
88 * the purposes of a nondeterministic random number generator -- we
89 * don't need to be bit-for-bit compatible over any wire.
109 /* ChaCha core */
122 return (u << c) | (u >> (32 - c));
132 static const uint8_t crypto_core_constant32[16] = "expand 32-byte k";
159 for (i = crypto_core_ROUNDS; i > 0; i -= 2) {
188 /* ChaCha self-test */
194 * <http://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-00>,
195 * test vectors for ChaCha12 and ChaCha8 and for big-endian machines
264 # error Byte order must be little-endian or big-endian.
309 (crypto_core_OUTPUTBYTES - crypto_prng_SEEDBYTES)
317 (void)memcpy(prng->state, seed, crypto_prng_SEEDBYTES);
327 __CTASSERT(sizeof prng->state + crypto_prng_MAXOUTPUTBYTES
330 crypto_core(output, nonce, prng->state, crypto_core_constant32);
331 (void)memcpy(prng->state, output, sizeof prng->state);
332 (void)memcpy(buf, output + sizeof prng->state, n);
336 /* One-time stream: expand short single-use secret into long secret */
367 ni = p32 - p8;
370 nb = (n - ni) / sizeof block;
371 nf = (n - ni) % sizeof block;
386 while (nb--) {
410 * (unsigned)-1. It may wrap around but it skips (unsigned)-1 and
414 * XXX This should get it from a page shared read-only by kernel
416 * sysctl -- incurring the cost of a syscall -- will have to
425 unsigned epoch = (unsigned)-1;
440 if (sysctlnametomib("kern.entropy.epoch", mib, &nmib) == -1)
441 return (unsigned)-1;
443 return (unsigned)-1;
451 if (sysctl(mib, __arraycount(mib), &epoch, &epochlen, NULL, 0) == -1)
452 return (unsigned)-1;
454 return (unsigned)-1;
459 /* arc4random state: per-thread, per-process (zeroed in child on fork) */
475 crypto_prng_buf(&prng->arc4_prng, buf, sizeof buf);
478 if (sysctl(mib, (u_int)__arraycount(mib), buf, &buflen, NULL, 0) == -1)
491 crypto_prng_seed(&prng->arc4_prng, buf);
493 prng->arc4_epoch = epoch;
503 prng = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,
507 if (minherit(prng, size, MAP_INHERIT_ZERO) == -1)
602 /* Get or create the per-thread PRNG state. */
617 if (__predict_false(prng->arc4_epoch != entropy_epoch()))
641 crypto_prng_buf(&prng->arc4_prng, &v, sizeof v);
654 crypto_prng_buf(&prng->arc4_prng, buf, len);
660 crypto_prng_buf(&prng->arc4_prng, seed, sizeof seed);
683 * 2^32 mod n = 2^32 mod n - 0
684 * = 2^32 mod n - n mod n
685 * = (2^32 - n) mod n,
687 * the last of which is what we compute in 32-bit arithmetic.
689 minimum = (-bound % bound);
692 do crypto_prng_buf(&prng->arc4_prng, &r, sizeof r);
774 arc4random_buf(buf, n - a);
775 if (memcmp(buf + n - a, zero64, a) != 0)
779 arc4random_buf(buf + a, n - a);
785 arc4random_buf(buf + a, n - a - a);
786 if (memcmp(buf + n - a, zero64, a) != 0)
793 /* Test fork-safety. */
800 case -1:
812 _exit(prng->arc4_epoch != 0);
816 if (rpid == -1)