From df974a94d10240b2159aa0ae4842955efd9252c6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 2 Mar 2008 21:29:08 +0000 Subject: Add a arc4random_uniform() that returns a uniformly distributed number in the range 0 <= x < upper_bound Please use this new API instead of "arc4random() % upper_bound", as it avoids the "modulo bias" that favours small results when upper_bound is not a power of two. feedback deraadt@ mcbride@; ok deraadt@ --- sys/dev/rnd.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- sys/dev/rndvar.h | 3 ++- sys/netinet/ip_id.c | 4 ++-- 3 files changed, 53 insertions(+), 5 deletions(-) (limited to 'sys') diff --git a/sys/dev/rnd.c b/sys/dev/rnd.c index 139a5a114f2..60df674f0aa 100644 --- a/sys/dev/rnd.c +++ b/sys/dev/rnd.c @@ -1,9 +1,10 @@ -/* $OpenBSD: rnd.c,v 1.86 2007/12/29 08:03:05 dlg Exp $ */ +/* $OpenBSD: rnd.c,v 1.87 2008/03/02 21:29:07 djm Exp $ */ /* * rnd.c -- A strong random number generator * * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff. + * Copyright (c) 2008 Damien Miller. * * Version 1.89, last modified 19-Sep-99 * @@ -241,6 +242,7 @@ #include #include #include +#include #include #include #include @@ -574,7 +576,7 @@ arc4random_bytes_large(void *buf, size_t n) mtx_leave(&rndlock); rc4_keysetup(&lctx, lbuf, sizeof(lbuf)); - rc4_skip(&lctx, 256 * 4); + rc4_skip(&lctx, 256 * 4); rc4_getbytes(&lctx, (u_char*)buf, n); bzero(lbuf, sizeof(lbuf)); bzero(&lctx, sizeof(lctx)); @@ -598,6 +600,51 @@ arc4random_bytes(void *buf, size_t n) mtx_leave(&rndlock); } +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +u_int32_t +arc4random_uniform(u_int32_t upper_bound) +{ + u_int32_t r, min; + + if (upper_bound < 2) + return 0; + +#if (ULONG_MAX > 0xffffffffUL) + min = 0x100000000UL % upper_bound; +#else + /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ + if (upper_bound > 0x80000000) + min = 1 + ~upper_bound; /* 2**32 - upper_bound */ + else { + /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ + min = ((0xffffffff - (upper_bound << 2)) + 1) % upper_bound; + } +#endif + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = arc4random(); + if (r >= min) + break; + } + + return r % upper_bound; +} + void randomattach(void) { diff --git a/sys/dev/rndvar.h b/sys/dev/rndvar.h index 60305d48fa6..c6831502c0b 100644 --- a/sys/dev/rndvar.h +++ b/sys/dev/rndvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rndvar.h,v 1.19 2003/11/03 18:24:28 tedu Exp $ */ +/* $OpenBSD: rndvar.h,v 1.20 2008/03/02 21:29:07 djm Exp $ */ /* * Copyright (c) 1996,2000 Michael Shalayeff. @@ -87,6 +87,7 @@ void enqueue_randomness(int, int); void get_random_bytes(void *, size_t); void arc4random_bytes(void *, size_t); u_int32_t arc4random(void); +u_int32_t arc4random_uniform(u_int32_t); #endif /* _KERNEL */ diff --git a/sys/netinet/ip_id.c b/sys/netinet/ip_id.c index a8aef8c299b..b75d79940b7 100644 --- a/sys/netinet/ip_id.c +++ b/sys/netinet/ip_id.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_id.c,v 1.16 2008/02/29 03:37:26 deraadt Exp $ */ +/* $OpenBSD: ip_id.c,v 1.17 2008/03/02 21:29:07 djm Exp $ */ /* * Copyright (c) 2008 Theo de Raadt, Ryan McBride @@ -59,7 +59,7 @@ ip_randomid(void) ip_shuffle[i] = i; for (i = sizeof(ip_shuffle)/sizeof(ip_shuffle[0]); --i; ) { /* disregard the modulo bias because it is small */ - i2 = arc4random() % (i + 1); + i2 = arc4random_uniform(i + 1); r = ip_shuffle[i]; ip_shuffle[i] = ip_shuffle[i2]; ip_shuffle[i2] = r; -- cgit v1.2.3