arc4random.c revision 104900 
1/*-
2 * THE BEER-WARE LICENSE
3 *
4 * <dan@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
5 * can do whatever you want with this stuff.  If we meet some day, and you
6 * think this stuff is worth it, you can buy me a beer in return.
7 *
8 * Dan Moschuk
9 *
10 * $FreeBSD: head/sys/libkern/arc4random.c 104900 2002-10-11 13:13:08Z phk $
11 */
12
13#include <sys/types.h>
14#include <sys/random.h>
15#include <sys/libkern.h>
16#include <sys/time.h>
17
18#define	ARC4_RESEED_BYTES 65536
19#define	ARC4_RESEED_SECONDS 300
20#define	ARC4_KEYBYTES (256 / 8)
21
22static u_int8_t arc4_i, arc4_j;
23static int arc4_initialized = 0;
24static int arc4_numruns = 0;
25static u_int8_t arc4_sbox[256];
26static time_t arc4_t_reseed;
27
28static u_int8_t arc4_randbyte(void);
29
30static __inline void
31arc4_swap(u_int8_t *a, u_int8_t *b)
32{
33	u_int8_t c;
34
35	c = *a;
36	*a = *b;
37	*b = c;
38}
39
40/*
41 * Stir our S-box.
42 */
43static void
44arc4_randomstir (void)
45{
46	u_int8_t key[256];
47	int r, n;
48	struct timeval tv_now;
49
50	/*
51	 * XXX read_random() returns unsafe numbers if the entropy
52	 * device is not loaded -- MarkM.
53	 */
54	r = read_random(key, ARC4_KEYBYTES);
55	/* If r == 0 || -1, just use what was on the stack. */
56	if (r > 0) {
57		for (n = r; n < sizeof(key); n++)
58			key[n] = key[n % r];
59	}
60
61	for (n = 0; n < 256; n++) {
62		arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
63		arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
64	}
65
66	/* Reset for next reseed cycle. */
67	getmicrouptime(&tv_now);
68	arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
69	arc4_numruns = 0;
70}
71
72/*
73 * Initialize our S-box to its beginning defaults.
74 */
75static void
76arc4_init(void)
77{
78	int n;
79
80	arc4_i = arc4_j = 0;
81	for (n = 0; n < 256; n++)
82		arc4_sbox[n] = (u_int8_t) n;
83
84	arc4_randomstir();
85	arc4_initialized = 1;
86
87	/*
88	 * Throw away the first N words of output, as suggested in the
89	 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
90	 * by Fluher, Mantin, and Shamir.  (N = 256 in our case.)
91	 */
92	for (n = 0; n < 256*4; n++)
93		arc4_randbyte();
94}
95
96/*
97 * Generate a random byte.
98 */
99static u_int8_t
100arc4_randbyte(void)
101{
102	u_int8_t arc4_t;
103
104	arc4_i = (arc4_i + 1) % 256;
105	arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256;
106
107	arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]);
108
109	arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256;
110	return arc4_sbox[arc4_t];
111}
112
113void
114arc4rand(void *ptr, u_int len, int reseed)
115{
116	u_char *p;
117	struct timeval tv;
118
119	/* Initialize array if needed. */
120	if (!arc4_initialized)
121		arc4_init();
122
123	getmicrouptime(&tv);
124	arc4_numruns += len;
125	if (reseed ||
126	   (arc4_numruns > ARC4_RESEED_BYTES) ||
127	   (tv.tv_sec > arc4_t_reseed))
128		arc4_randomstir();
129
130	p = ptr;
131	while (len--)
132		*p++ = arc4_randbyte();
133}
134
135uint32_t
136arc4random(void)
137{
138	uint32_t ret;
139
140	arc4rand(&ret, sizeof ret, 0);
141	return ret;
142}
143