[openssh-commits] [openssh] branch master updated: upstream: Fill entropy in a single operation instead of hundreds.
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jan 21 10:06:14 AEDT 2026
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new 1cc936b2f upstream: Fill entropy in a single operation instead of hundreds.
1cc936b2f is described below
commit 1cc936b2fabffeac7fff14ca1070d7d7a317ab7b
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Tue Jan 20 22:56:11 2026 +0000
upstream: Fill entropy in a single operation instead of hundreds.
The sntrup761 code we use from SUPERCOP fills entropy arrays 4 bytes at
a time. On some platforms each of these operations has a significant
overhead, so instead fill it in a single operation and as a precaution
zero that array after it's used.
Analysis and code change is from Mike Frysinger via Github PR#621 with
feedback from djm@ and sed-ification from me. ok djm@ beck at .
This change was submitted by Mike to SUPERCOP upstream so hopefully
future versions will already have it.
OpenBSD-Commit-ID: 0e85c82f79b1b396facac59e05b288c08048f15c
---
sntrup761.c | 22 +++++++---------------
sntrup761.sh | 24 +++++++++++++++++++++++-
2 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/sntrup761.c b/sntrup761.c
index 123d01381..a731e560f 100644
--- a/sntrup761.c
+++ b/sntrup761.c
@@ -1,5 +1,4 @@
-
-/* $OpenBSD: sntrup761.c,v 1.8 2024/09/16 05:37:05 djm Exp $ */
+/* $OpenBSD: sntrup761.c,v 1.9 2026/01/20 22:56:11 dtucker Exp $ */
/*
* Public Domain, Authors:
@@ -1961,27 +1960,20 @@ static void Hash_prefix(unsigned char *out, int b, const unsigned char *in, int
for (i = 0; i < 32; ++i) out[i] = h[i];
}
-static uint32_t urandom32(void) {
- unsigned char c[4];
- uint32_t result = 0;
- int i;
- randombytes(c, 4);
- for (i = 0; i < 4; ++i) result += ((uint32_t)c[i]) << (8 * i);
- return result;
-}
static void Short_random(small *out) {
uint32_t L[p];
- int i;
- for (i = 0; i < p; ++i) L[i] = urandom32();
+ randombytes(L, sizeof(L));
Short_fromlist(out, L);
+ explicit_bzero(L, sizeof(L));
}
-
static void Small_random(small *out) {
int i;
- for (i = 0; i < p; ++i) out[i] = (((urandom32() & 0x3fffffff) * 3) >> 30) - 1;
+ uint32_t L[p];
+ randombytes(L, sizeof(L));
+ for (i = 0; i < p; ++i) out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1;
+ explicit_bzero(L, sizeof(L));
}
-
static void KeyGen(Fq *h, small *f, small *ginv) {
small g[p];
Fq finv[p];
diff --git a/sntrup761.sh b/sntrup761.sh
index 4de8dc334..d4da99195 100644
--- a/sntrup761.sh
+++ b/sntrup761.sh
@@ -1,5 +1,5 @@
#!/bin/sh
-# $OpenBSD: sntrup761.sh,v 1.9 2024/09/16 05:37:05 djm Exp $
+# $OpenBSD: sntrup761.sh,v 1.10 2026/01/20 22:56:11 dtucker Exp $
# Placed in the Public Domain.
#
AUTHOR="supercop-20240808/crypto_kem/sntrup761/ref/implementors"
@@ -87,6 +87,28 @@ for i in $FILES; do
*/uint32/useint32/sort.c)
sed -e "s/void crypto_sort/void crypto_sort_uint32/g"
;;
+ # Replace Short_random and Small_random with versions that fetch
+ # entropy in a single operation, then delete urandom32 as unused.
+ */crypto_kem/sntrup761/compact/kem.c)
+ sed -e '/ uint32_t urandom32/,/^}$/d' \
+ -e '/ void Short_random/i\
+static void Short_random(small *out) {\
+ uint32_t L[p];\
+ randombytes(L, sizeof(L));\
+ Short_fromlist(out, L);\
+ explicit_bzero(L, sizeof(L));\
+}' \
+ -e '/ void Short_random(/,/^}$/d' \
+ -e '/ void Small_random/i\
+static void Small_random(small *out) {\
+ int i;\
+ uint32_t L[p];\
+ randombytes(L, sizeof(L));\
+ for (i = 0; i < p; ++i) out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1;\
+ explicit_bzero(L, sizeof(L));\
+}' \
+ -e '/ void Small_random(/,/^}$/d'
+ ;;
# Remove unused function to prevent warning.
*/crypto_kem/sntrup761/ref/int32.c)
sed -e '/ int32_div_uint14/,/^}$/d'
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list