Introduce a facility to generate unpredictable 32 bit numbers with

near maximal (2^32) cycle times. These are useful for network
IDs in cases where there are negative consequences to ID prediction
and/or reuse.

Use the idgen32() functions to generate IPv6 IDs and NFS client/server
XIDs.

Pseudorandom permutation code in crypto/idgen.c based on public
domain skip32.c from Greg Rose.

feedback & ok thib@ deraadt@

10 files changed, 237 insertions, 38 deletions

diff --git a/sys/conf/files b/sys/conf/files
index 6651bbeb9d9..958ab8fd5fd 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1,4 +1,4 @@
-#	$OpenBSD: files,v 1.431 2008/05/06 13:33:50 pyr Exp $
+#	$OpenBSD: files,v 1.432 2008/06/09 22:47:41 djm Exp $
 #	$NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
@@ -839,6 +839,7 @@ file crypto/xform.c			(inet & ipsec) | crypto
 file crypto/deflate.c			(inet & ipsec) | crypto
 file crypto/arc4.c			
 file crypto/michael.c			wlan
+file crypto/idgen.c			inet6 | nfsclient | nfsserver
 file netatalk/aarp.c			netatalk
 file netatalk/at_control.c		netatalk
 file netatalk/at_proto.c		netatalk
diff --git a/sys/crypto/idgen.c b/sys/crypto/idgen.c
new file mode 100644
index 00000000000..e96de57c6a0
--- /dev/null
+++ b/sys/crypto/idgen.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 2008 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * IDGEN32: non-repeating ID generation covering an almost maximal
+ * 32 bit range.
+ * Based on public domain SKIP32 by Greg Rose.
+ */
+
+#include <sys/types.h>
+#include <sys/systm.h>
+#include <dev/rndvar.h>
+#include <crypto/idgen.h>
+
+static u_int16_t idgen32_g(u_int8_t *, int, u_int16_t);
+u_int32_t idgen32_permute(u_int8_t key[IDGEN32_KEYLEN], u_int32_t);
+void idgen32_rekey(struct idgen32_ctx *);
+
+static const u_int8_t ftable[256] = { 
+	0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
+	0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
+	0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
+	0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
+	0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
+	0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
+	0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
+	0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
+	0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
+	0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
+	0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
+	0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
+	0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
+	0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
+	0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
+	0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
+	0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
+	0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
+	0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
+	0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
+	0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
+	0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
+	0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
+	0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
+	0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
+	0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
+	0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
+	0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
+	0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
+	0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
+	0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
+	0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
+};
+
+static u_int16_t
+idgen32_g(u_int8_t *key, int k, u_int16_t w)
+{
+	u_int8_t g1, g2, g3, g4, g5, g6;
+	u_int o = k * 4;
+
+	g1 = (w >> 8) & 0xff;
+	g2 = w & 0xff;
+
+	g3 = ftable[g2 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g1;
+	g4 = ftable[g3 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g2;
+	g5 = ftable[g4 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g3;
+	g6 = ftable[g5 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g4;
+
+	return (g5 << 8) | g6;
+}
+
+u_int32_t
+idgen32_permute(u_int8_t key[IDGEN32_KEYLEN], u_int32_t in)
+{
+	u_int i, r;
+	u_int16_t wl, wr;
+
+	wl = (in >> 16) & 0x7fff;
+	wr = in & 0xffff;
+
+	/* Doubled up rounds, with an odd round at the end to swap */
+	for (i = r = 0; i < IDGEN32_ROUNDS / 2; ++i) {
+		wr ^= (idgen32_g(key, r, wl) ^ r);
+		r++;
+		wl ^= (idgen32_g(key, r, wr) ^ r) & 0x7fff;
+		r++;
+	}
+	wr ^= (idgen32_g(key, r, wl) ^ r);
+
+	return (wl << 16) | wr;
+}
+
+void
+idgen32_rekey(struct idgen32_ctx *ctx)
+{
+	ctx->counter = 0;
+	ctx->hibit ^= 0x80000000;
+	arc4random_buf(ctx->key, sizeof(ctx->key));
+}
+
+void
+idgen32_init(struct idgen32_ctx *ctx)
+{
+	bzero(ctx, sizeof(ctx));
+	ctx->hibit = arc4random() & 0x80000000;
+	idgen32_rekey(ctx);
+}
+
+u_int32_t
+idgen32(struct idgen32_ctx *ctx)
+{
+	u_int32_t ret;
+
+	/* Avoid emitting a zero ID as they often have special meaning */
+	do {
+		ret = idgen32_permute(ctx->key, ctx->counter++) | ctx->hibit;
+
+		/* Rekey a little early to avoid "card counting" attack */
+		if (ctx->counter > IDGEN32_REKEY_LIMIT)
+			idgen32_rekey(ctx);
+	} while (ret == 0);
+
+	return ret;
+}
+
diff --git a/sys/crypto/idgen.h b/sys/crypto/idgen.h
new file mode 100644
index 00000000000..588aa15aa64
--- /dev/null
+++ b/sys/crypto/idgen.h
@@ -0,0 +1,30 @@
+/*	$OpenBSD: idgen.h,v 1.1 2008/06/09 22:47:41 djm Exp $	*/
+/*
+ * Copyright (c) 2008 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define IDGEN32_ROUNDS		31
+#define IDGEN32_KEYLEN		32
+#define IDGEN32_REKEY_LIMIT	0x7ff00000
+
+struct idgen32_ctx {
+	u_int32_t counter;
+	u_int32_t hibit;
+	u_int8_t key[IDGEN32_KEYLEN];
+};
+
+void idgen32_init(struct idgen32_ctx *);
+u_int32_t idgen32(struct idgen32_ctx *);
+
diff --git a/sys/netinet6/ip6_id.c b/sys/netinet6/ip6_id.c
index db562454533..580d1b72062 100644
--- a/sys/netinet6/ip6_id.c
+++ b/sys/netinet6/ip6_id.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_id.c,v 1.6 2008/04/18 06:42:20 djm Exp $	*/
+/*	$OpenBSD: ip6_id.c,v 1.7 2008/06/09 22:47:42 djm Exp $	*/
 /*	$NetBSD: ip6_id.c,v 1.7 2003/09/13 21:32:59 itojun Exp $	*/
 /*	$KAME: ip6_id.c,v 1.8 2003/09/06 13:41:06 itojun Exp $	*/
 
@@ -113,17 +113,6 @@ struct randomtab {
 	long ru_reseed;
 };
 
-static struct randomtab randomtab_32 = {
-	32,			/* resulting bits */
-	180,			/* Time after wich will be reseeded */
-	1000000000,		/* Uniq cycle, avoid blackjack prediction */
-	2,			/* Starting generator */
-	2147483629,		/* RU_N-1 = 2^2*3^2*59652323 */
-	7,			/* determine ru_a as RU_AGEN^(2*rand) */
-	1836660096,		/* RU_M = 2^7*3^15 - don't change */
-	{ 2, 3, 59652323, 0 },	/* factors of ru_n */
-};
-
 static struct randomtab randomtab_20 = {
 	20,			/* resulting bits */
 	180,			/* Time after wich will be reseeded */
@@ -239,15 +228,8 @@ randomid(struct randomtab *p)
 }
 
 u_int32_t
-ip6_randomid(void)
-{
-
-	return randomid(&randomtab_32);
-}
-
-u_int32_t
 ip6_randomflowlabel(void)
 {
-
 	return randomid(&randomtab_20) & 0xfffff;
 }
+
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 0e645ad416b..fb99a69a989 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.84 2008/05/15 19:40:38 markus Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.85 2008/06/09 22:47:42 djm Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -160,6 +160,7 @@ ip6_init()
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip6_protox[pr->pr_protocol] = pr - inet6sw;
 	ip6intrq.ifq_maxlen = ip6qmaxlen;
+	ip6_randomid_init();
 	nd6_init();
 	frag6_init();
 	ip6_init2((void *)0);
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index cca6865818d..d8faf8bbabf 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.100 2008/03/31 21:15:20 deraadt Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.101 2008/06/09 22:47:42 djm Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -88,6 +88,8 @@
 #include <netinet6/nd6.h>
 #include <netinet6/ip6protosw.h>
 
+#include <crypto/idgen.h>
+
 #if NPF > 0
 #include <net/pfvar.h>
 #endif
@@ -132,6 +134,9 @@ static int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
 	struct ifnet *, struct in6_addr *, u_long *, int *);
 static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
 
+/* Context for non-repeating IDs */
+struct idgen32_ctx ip6_id_ctx;
+
 /*
  * IP6 output. The packet in mbuf chain m contains a skeletal IP6
  * header (with pri, len, nxt, hlim, src, dst).
@@ -3225,3 +3230,16 @@ ip6_optlen(inp)
 	return len;
 #undef elen
 }
+
+u_int32_t
+ip6_randomid(void)
+{
+	return idgen32(&ip6_id_ctx);
+}
+
+void
+ip6_randomid_init(void)
+{
+	idgen32_init(&ip6_id_ctx);
+}
+
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index b560d21ee74..33f35df951d 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_var.h,v 1.32 2007/12/14 18:33:41 deraadt Exp $	*/
+/*	$OpenBSD: ip6_var.h,v 1.33 2008/06/09 22:47:42 djm Exp $	*/
 /*	$KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $	*/
 
 /*
@@ -297,6 +297,8 @@ int	ip6_setpktopts(struct mbuf *, struct ip6_pktopts *,
 void	ip6_clearpktopts(struct ip6_pktopts *, int);
 struct ip6_pktopts *ip6_copypktopts(struct ip6_pktopts *, int);
 int	ip6_optlen(struct inpcb *);
+void	ip6_randomid_init(void);
+u_int32_t ip6_randomid(void);
 
 int	route6_input(struct mbuf **, int *, int);
 
@@ -324,7 +326,6 @@ int	in6_selectroute(struct sockaddr_in6 *, struct ip6_pktopts *,
 	    struct ip6_moptions *, struct route_in6 *, struct ifnet **,
 	    struct rtentry **);
 
-u_int32_t ip6_randomid(void);
 u_int32_t ip6_randomflowlabel(void);
 #endif /* _KERNEL */
 
diff --git a/sys/nfs/krpc_subr.c b/sys/nfs/krpc_subr.c
index 39dfe6ffa59..363a837d985 100644
--- a/sys/nfs/krpc_subr.c
+++ b/sys/nfs/krpc_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: krpc_subr.c,v 1.15 2008/05/23 15:51:12 thib Exp $	*/
+/*	$OpenBSD: krpc_subr.c,v 1.16 2008/06/09 22:47:42 djm Exp $	*/
 /*	$NetBSD: krpc_subr.c,v 1.12.4.1 1996/06/07 00:52:26 cgd Exp $	*/
 
 /*
@@ -61,6 +61,7 @@
 #include <nfs/krpc.h>
 #include <nfs/xdr_subs.h>
 #include <dev/rndvar.h>
+#include <crypto/idgen.h>
 
 /*
  * Kernel support for Sun RPC
@@ -115,6 +116,24 @@ struct rpc_reply {
 
 #define MIN_REPLY_HDR 16	/* xid, dir, astat, errno */
 
+u_int32_t krpc_get_xid(void);
+
+/*
+ * Return an unpredictable XID.
+ */
+u_int32_t
+krpc_get_xid(void)
+{
+	static struct idgen32_ctx krpc_xid_ctx;
+	static int called = 0;
+
+	if (!called) {
+		called = 1;
+		idgen32_init(&krpc_xid_ctx);
+	}
+	return idgen32(&krpc_xid_ctx);
+}
+
 /*
  * What is the longest we will wait before re-sending a request?
  * Note this is also the frequency of "RPC timeout" messages.
@@ -201,7 +220,6 @@ krpc_call(sa, prog, vers, func, data, from_p, retries)
 	struct uio auio;
 	int error, rcvflg, timo, secs, len;
 	static u_int32_t xid = 0;
-	u_int32_t newxid;
 	int *ip;
 	struct timeval *tv;
 
@@ -299,8 +317,7 @@ krpc_call(sa, prog, vers, func, data, from_p, retries)
 	mhead->m_len = sizeof(*call);
 	bzero((caddr_t)call, sizeof(*call));
 	/* rpc_call part */
-	while ((newxid = arc4random()) == xid);
-	xid = newxid;
+	xid = krpc_get_xid();
 	call->rp_xid = txdr_unsigned(xid);
 	/* call->rp_direction = 0; */
 	call->rp_rpcvers = txdr_unsigned(2);
diff --git a/sys/nfs/nfs_subs.c b/sys/nfs/nfs_subs.c
index 4a685c0402c..a0388edd5d5 100644
--- a/sys/nfs/nfs_subs.c
+++ b/sys/nfs/nfs_subs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfs_subs.c,v 1.74 2008/04/22 18:53:34 thib Exp $	*/
+/*	$OpenBSD: nfs_subs.c,v 1.75 2008/06/09 22:47:42 djm Exp $	*/
 /*	$NetBSD: nfs_subs.c,v 1.27.4.3 1996/07/08 20:34:24 jtc Exp $	*/
 
 /*
@@ -72,6 +72,7 @@
 #include <netinet/in.h>
 
 #include <dev/rndvar.h>
+#include <crypto/idgen.h>
 
 int	nfs_attrtimeo(struct nfsnode *np);
 
@@ -547,6 +548,22 @@ nfsm_reqh(vp, procid, hsiz, bposp)
 }
 
 /*
+ * Return an unpredictable XID.
+ */
+u_int32_t
+nfsm_get_xid(void)
+{
+	static struct idgen32_ctx nfs_xid_ctx;
+	static int called = 0;
+
+	if (!called) {
+		called = 1;
+		idgen32_init(&nfs_xid_ctx);
+	}
+	return idgen32(&nfs_xid_ctx);
+}
+
+/*
  * Build the RPC header and fill in the authorization info.
  * Right now we are pretty centric around RPCAUTH_UNIX, in the
  * future, this function will need some love to be able to handle
@@ -558,7 +575,6 @@ nfsm_rpchead(struct nfsreq *req, struct ucred *cr, int auth_type,
 {
 	struct mbuf	*mb;
 	u_int32_t	*tl;
-	u_int32_t	xid;
 	caddr_t		bpos;
 	int		i, authsiz, auth_len, ngroups;
 
@@ -602,12 +618,7 @@ nfsm_rpchead(struct nfsreq *req, struct ucred *cr, int auth_type,
 	tl = nfsm_build(&mb, 6 * NFSX_UNSIGNED, &bpos);
 
 	/* Get a new (non-zero) xid */
-	do {
-		while ((xid = arc4random() & 0xff) == 0)
-			;
-		nfs_xid += xid;
-	} while (nfs_xid == 0);
-
+	nfs_xid = nfsm_get_xid();
 
 	*tl++ = req->r_xid = txdr_unsigned(nfs_xid);
 	*tl++ = rpc_call;
diff --git a/sys/nfs/nfs_var.h b/sys/nfs/nfs_var.h
index 7abe9411ce7..19e29c0afa2 100644
--- a/sys/nfs/nfs_var.h
+++ b/sys/nfs/nfs_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfs_var.h,v 1.35 2008/04/22 18:53:34 thib Exp $	*/
+/*	$OpenBSD: nfs_var.h,v 1.36 2008/06/09 22:47:42 djm Exp $	*/
 /*	$NetBSD: nfs_var.h,v 1.3 1996/02/18 11:53:54 fvdl Exp $	*/
 
 /*
@@ -238,6 +238,7 @@ void nfsrv_cleancache(void);
 
 /* nfs_subs.c */
 struct mbuf *nfsm_reqh(struct vnode *, u_long, int, caddr_t *);
+u_int32_t nfsm_get_xid(void);
 void nfsm_rpchead(struct nfsreq *, struct ucred *, int, struct mbuf *, int);
 void *nfsm_build(struct mbuf **, u_int, caddr_t *);
 int nfsm_mbuftouio(struct mbuf **, struct uio *, int, caddr_t *);