From 95c9f5bf37a5d8a659aa1aad34dee81afbdf8938 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Sun, 11 Sep 2016 03:18:48 +0200
Subject: kernel: better nonce partitioning for chacha random number generator

leave the block counter to chacha_encrypt() and increment the 96 bit
iv instead.
---
 sys/src/9/port/random.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/sys/src/9/port/random.c b/sys/src/9/port/random.c
index 253c89b03..c6dd838f4 100644
--- a/sys/src/9/port/random.c
+++ b/sys/src/9/port/random.c
@@ -89,7 +89,6 @@ ulong
 randomread(void *p, ulong n)
 {
 	Chachastate c;
-	ulong b;
 
 	if(n == 0)
 		return 0;
@@ -97,12 +96,12 @@ randomread(void *p, ulong n)
 	if(hwrandbuf != nil)
 		(*hwrandbuf)(p, n);
 
-	/* copy chacha state and advance block counter */
+	/* copy chacha state and increment iv */
 	qlock(rs);
 	c = *rs;
-	b = rs->input[12];
-	rs->input[12] += (n + ChachaBsize-1)/ChachaBsize;
-	if(rs->input[12] < b) rs->input[13]++;
+	if(++rs->input[13] == 0)
+		if(++rs->input[14] == 0)
+			++rs->input[15];
 	qunlock(rs);
 
 	/* encrypt the buffer, can fault */
-- 
cgit v1.2.3