libc/gen/arc4random.c

268962Spfg/*	$OpenBSD: arc4random.c,v 1.24 2013/06/11 16:59:50 deraadt Exp $	*/
227519Sdas
26628Sache/*
180672Sache * Copyright (c) 1996, David Mazieres <dm@uun.org>
180672Sache * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
26628Sache *
180672Sache * Permission to use, copy, modify, and distribute this software for any
180672Sache * purpose with or without fee is hereby granted, provided that the above
180672Sache * copyright notice and this permission notice appear in all copies.
180672Sache *
180672Sache * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
180672Sache * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
180672Sache * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
180672Sache * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
180672Sache * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
180672Sache * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
180672Sache * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26628Sache */
26628Sache
26628Sache/*
180672Sache * Arc4 random number generator for OpenBSD.
180672Sache *
26628Sache * This code is derived from section 17.1 of Applied Cryptography,
26628Sache * second edition, which describes a stream cipher allegedly
26628Sache * compatible with RSA Labs "RC4" cipher (the actual description of
26628Sache * which is a trade secret).  The same algorithm is used as a stream
26628Sache * cipher called "arcfour" in Tatu Ylonen's ssh package.
26628Sache *
26628Sache * RC4 is a registered trademark of RSA Laboratories.
26628Sache */
26628Sache
92986Sobrien#include <sys/cdefs.h>
92986Sobrien__FBSDID("$FreeBSD$");
92986Sobrien
71579Sdeischen#include "namespace.h"
227520Sdas#include <fcntl.h>
227520Sdas#include <limits.h>
227520Sdas#include <stdlib.h>
227520Sdas#include <unistd.h>
92986Sobrien#include <sys/types.h>
227520Sdas#include <sys/param.h>
238118Spjd#include <sys/sysctl.h>
92986Sobrien#include <sys/time.h>
127373Sgreen#include <pthread.h>
127373Sgreen
127373Sgreen#include "libc_private.h"
71579Sdeischen#include "un-namespace.h"
26628Sache
227519Sdas#ifdef __GNUC__
227519Sdas#define inline __inline
227519Sdas#else				/* !__GNUC__ */
227519Sdas#define inline
227519Sdas#endif				/* !__GNUC__ */
227519Sdas
26628Sachestruct arc4_stream {
26628Sache	u_int8_t i;
26628Sache	u_int8_t j;
26628Sache	u_int8_t s[256];
26628Sache};
26628Sache
127373Sgreenstatic pthread_mutex_t	arc4random_mtx = PTHREAD_MUTEX_INITIALIZER;
127373Sgreen
182886Sache#define	RANDOMDEV	"/dev/random"
227519Sdas#define	KEYSIZE		128
227519Sdas#define	_ARC4_LOCK()						\
127373Sgreen	do {							\
127373Sgreen		if (__isthreaded)				\
127373Sgreen			_pthread_mutex_lock(&arc4random_mtx);	\
127373Sgreen	} while (0)
127373Sgreen
227519Sdas#define	_ARC4_UNLOCK()						\
127373Sgreen	do {							\
127373Sgreen		if (__isthreaded)				\
127373Sgreen			_pthread_mutex_unlock(&arc4random_mtx);	\
127373Sgreen	} while (0)
127373Sgreen
227520Sdasstatic int rs_initialized;
127373Sgreenstatic struct arc4_stream rs;
227520Sdasstatic pid_t arc4_stir_pid;
162995Sachestatic int arc4_count;
26628Sache
238118Spjdextern int __sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
238118Spjd    void *newp, size_t newlen);
238118Spjd
180672Sachestatic inline u_int8_t arc4_getbyte(void);
180672Sachestatic void arc4_stir(void);
124741Sdas
26628Sachestatic inline void
180672Sachearc4_init(void)
26628Sache{
26628Sache	int     n;
26628Sache
26628Sache	for (n = 0; n < 256; n++)
180672Sache		rs.s[n] = n;
180672Sache	rs.i = 0;
180672Sache	rs.j = 0;
26628Sache}
26628Sache
26628Sachestatic inline void
180672Sachearc4_addrandom(u_char *dat, int datlen)
26628Sache{
26628Sache	int     n;
26628Sache	u_int8_t si;
26628Sache
180672Sache	rs.i--;
26628Sache	for (n = 0; n < 256; n++) {
180672Sache		rs.i = (rs.i + 1);
180672Sache		si = rs.s[rs.i];
180672Sache		rs.j = (rs.j + si + dat[n % datlen]);
180672Sache		rs.s[rs.i] = rs.s[rs.j];
180672Sache		rs.s[rs.j] = si;
26628Sache	}
180672Sache	rs.j = rs.i;
26628Sache}
26628Sache
238118Spjdstatic size_t
238118Spjdarc4_sysctl(u_char *buf, size_t size)
238118Spjd{
238118Spjd	int mib[2];
238118Spjd	size_t len, done;
238118Spjd
238118Spjd	mib[0] = CTL_KERN;
238118Spjd	mib[1] = KERN_ARND;
238118Spjd	done = 0;
238118Spjd
238118Spjd	do {
238118Spjd		len = size;
238118Spjd		if (__sysctl(mib, 2, buf, &len, NULL, 0) == -1)
238118Spjd			return (done);
238118Spjd		done += len;
238118Spjd		buf += len;
238118Spjd		size -= len;
238118Spjd	} while (size > 0);
238118Spjd
238118Spjd	return (done);
238118Spjd}
238118Spjd
26628Sachestatic void
180672Sachearc4_stir(void)
26628Sache{
227519Sdas	int done, fd, i;
26628Sache	struct {
181261Sache		struct timeval	tv;
227519Sdas		pid_t		pid;
227519Sdas		u_char	 	rnd[KEYSIZE];
181261Sache	} rdat;
26628Sache
227520Sdas	if (!rs_initialized) {
227520Sdas		arc4_init();
227520Sdas		rs_initialized = 1;
227520Sdas	}
181261Sache	done = 0;
238118Spjd	if (arc4_sysctl((u_char *)&rdat, KEYSIZE) == KEYSIZE)
238118Spjd		done = 1;
238118Spjd	if (!done) {
241046Sjilles		fd = _open(RANDOMDEV, O_RDONLY | O_CLOEXEC, 0);
238118Spjd		if (fd >= 0) {
238118Spjd			if (_read(fd, &rdat, KEYSIZE) == KEYSIZE)
238118Spjd				done = 1;
238118Spjd			(void)_close(fd);
238118Spjd		}
227519Sdas	}
181261Sache	if (!done) {
181261Sache		(void)gettimeofday(&rdat.tv, NULL);
181261Sache		rdat.pid = getpid();
181261Sache		/* We'll just take whatever was on the stack too... */
181261Sache	}
26628Sache
181261Sache	arc4_addrandom((u_char *)&rdat, KEYSIZE);
124741Sdas
124741Sdas	/*
227519Sdas	 * Discard early keystream, as per recommendations in:
227519Sdas	 * "(Not So) Random Shuffles of RC4" by Ilya Mironov.
124741Sdas	 */
227519Sdas	for (i = 0; i < 1024; i++)
227519Sdas		(void)arc4_getbyte();
180655Sache	arc4_count = 1600000;
26628Sache}
26628Sache
227520Sdasstatic void
227520Sdasarc4_stir_if_needed(void)
227520Sdas{
227520Sdas	pid_t pid = getpid();
227520Sdas
268962Spfg	if (arc4_count <= 0 || !rs_initialized || arc4_stir_pid != pid) {
227520Sdas		arc4_stir_pid = pid;
227520Sdas		arc4_stir();
227520Sdas	}
227520Sdas}
227520Sdas
26628Sachestatic inline u_int8_t
180672Sachearc4_getbyte(void)
26628Sache{
26628Sache	u_int8_t si, sj;
26628Sache
180672Sache	rs.i = (rs.i + 1);
180672Sache	si = rs.s[rs.i];
180672Sache	rs.j = (rs.j + si);
180672Sache	sj = rs.s[rs.j];
180672Sache	rs.s[rs.i] = sj;
180672Sache	rs.s[rs.j] = si;
180672Sache	return (rs.s[(si + sj) & 0xff]);
26628Sache}
26628Sache
26628Sachestatic inline u_int32_t
180672Sachearc4_getword(void)
26628Sache{
26628Sache	u_int32_t val;
180672Sache	val = arc4_getbyte() << 24;
180672Sache	val |= arc4_getbyte() << 16;
180672Sache	val |= arc4_getbyte() << 8;
180672Sache	val |= arc4_getbyte();
227519Sdas	return val;
26628Sache}
26628Sache
127373Sgreenvoid
169981Sdelphijarc4random_stir(void)
127373Sgreen{
227519Sdas	_ARC4_LOCK();
180672Sache	arc4_stir();
227519Sdas	_ARC4_UNLOCK();
26628Sache}
26628Sache
26628Sachevoid
169981Sdelphijarc4random_addrandom(u_char *dat, int datlen)
26628Sache{
227519Sdas	_ARC4_LOCK();
227520Sdas	if (!rs_initialized)
227520Sdas		arc4_stir();
180672Sache	arc4_addrandom(dat, datlen);
227519Sdas	_ARC4_UNLOCK();
26628Sache}
26628Sache
26628Sacheu_int32_t
169981Sdelphijarc4random(void)
26628Sache{
227519Sdas	u_int32_t val;
227519Sdas	_ARC4_LOCK();
227520Sdas	arc4_count -= 4;
227520Sdas	arc4_stir_if_needed();
227519Sdas	val = arc4_getword();
227519Sdas	_ARC4_UNLOCK();
227519Sdas	return val;
26628Sache}
26628Sache
180657Sachevoid
180657Sachearc4random_buf(void *_buf, size_t n)
180657Sache{
180657Sache	u_char *buf = (u_char *)_buf;
227519Sdas	_ARC4_LOCK();
227520Sdas	arc4_stir_if_needed();
180657Sache	while (n--) {
227520Sdas		if (--arc4_count <= 0)
227520Sdas			arc4_stir();
180672Sache		buf[n] = arc4_getbyte();
180657Sache	}
227519Sdas	_ARC4_UNLOCK();
180657Sache}
180657Sache
180688Sache/*
180688Sache * Calculate a uniformly distributed random number less than upper_bound
180688Sache * avoiding "modulo bias".
180688Sache *
180688Sache * Uniformity is achieved by generating new random numbers until the one
180688Sache * returned is outside the range [0, 2**32 % upper_bound).  This
180688Sache * guarantees the selected random number will be inside
180688Sache * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
180688Sache * after reduction modulo upper_bound.
180688Sache */
180688Sacheu_int32_t
180688Sachearc4random_uniform(u_int32_t upper_bound)
180688Sache{
180688Sache	u_int32_t r, min;
180688Sache
180688Sache	if (upper_bound < 2)
227519Sdas		return 0;
180688Sache
268962Spfg	/* 2**32 % x == (2**32 - x) % x */
268962Spfg	min = -upper_bound % upper_bound;
180688Sache	/*
180688Sache	 * This could theoretically loop forever but each retry has
180688Sache	 * p > 0.5 (worst case, usually far better) of selecting a
180688Sache	 * number inside the range we need, so it should rarely need
180688Sache	 * to re-roll.
180688Sache	 */
180688Sache	for (;;) {
180688Sache		r = arc4random();
180688Sache		if (r >= min)
180688Sache			break;
180688Sache	}
180688Sache
227519Sdas	return r % upper_bound;
180688Sache}
180688Sache
26628Sache#if 0
26628Sache/*-------- Test code for i386 --------*/
26628Sache#include <stdio.h>
26628Sache#include <machine/pctr.h>
26628Sacheint
26628Sachemain(int argc, char **argv)
26628Sache{
26628Sache	const int iter = 1000000;
26628Sache	int     i;
26628Sache	pctrval v;
26628Sache
26628Sache	v = rdtsc();
26628Sache	for (i = 0; i < iter; i++)
26628Sache		arc4random();
26628Sache	v = rdtsc() - v;
26628Sache	v /= iter;
26628Sache
26628Sache	printf("%qd cycles\n", v);
26628Sache}
26628Sache#endif