From c0a9c3b551ed5d9b3a9d8389e36a3eb059662702 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sun, 11 Sep 2016 19:07:17 +0200 Subject: kernel: rekey chacha state on each randomread() invocation we can encrypt the 256 bit chacha key on each invocation making it hard to reconstruct previous outputs of the generator given the current state (backtracking resiatance). --- sys/src/9/port/random.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/src/9/port/random.c b/sys/src/9/port/random.c index c6dd838f4..b27e5720d 100644 --- a/sys/src/9/port/random.c +++ b/sys/src/9/port/random.c @@ -96,9 +96,10 @@ randomread(void *p, ulong n) if(hwrandbuf != nil) (*hwrandbuf)(p, n); - /* copy chacha state and increment iv */ + /* copy chacha state, rekey and increment iv */ qlock(rs); c = *rs; + chacha_encrypt((uchar*)&rs->input[4], 32, &c); if(++rs->input[13] == 0) if(++rs->input[14] == 0) ++rs->input[15]; -- cgit v1.2.3