arc4random.c revision 169981 
1258945Sroberto/*
2258945Sroberto * Arc4 random number generator for OpenBSD.
3280849Scy * Copyright 1996 David Mazieres <dm@lcs.mit.edu>.
4258945Sroberto *
5258945Sroberto * Modification and redistribution in source and binary forms is
6258945Sroberto * permitted provided that due credit is given to the author and the
7280849Scy * OpenBSD project (for instance by leaving this copyright notice
8258945Sroberto * intact).
9258945Sroberto */
10258945Sroberto
11258945Sroberto/*
12258945Sroberto * This code is derived from section 17.1 of Applied Cryptography,
13258945Sroberto * second edition, which describes a stream cipher allegedly
14258945Sroberto * compatible with RSA Labs "RC4" cipher (the actual description of
15258945Sroberto * which is a trade secret).  The same algorithm is used as a stream
16258945Sroberto * cipher called "arcfour" in Tatu Ylonen's ssh package.
17258945Sroberto *
18280849Scy * Here the stream cipher has been modified always to include the time
19280849Scy * when initializing the state.  That makes it impossible to
20280849Scy * regenerate the same random sequence twice, so this can't be used
21280849Scy * for encryption, but will generate good random numbers.
22258945Sroberto *
23280849Scy * RC4 is a registered trademark of RSA Laboratories.
24280849Scy */
25258945Sroberto
26280849Scy#include <sys/cdefs.h>
27280849Scy__FBSDID("$FreeBSD: head/lib/libc/gen/arc4random.c 169981 2007-05-25 10:40:33Z delphij $");
28280849Scy
29280849Scy#include "namespace.h"
30280849Scy#include <sys/types.h>
31280849Scy#include <sys/time.h>
32258945Sroberto#include <stdlib.h>
33280849Scy#include <fcntl.h>
34258945Sroberto#include <unistd.h>
35280849Scy#include <pthread.h>
36258945Sroberto
37258945Sroberto#include "libc_private.h"
38280849Scy#include "un-namespace.h"
39258945Sroberto
40258945Srobertostruct arc4_stream {
41258945Sroberto	u_int8_t i;
42280849Scy	u_int8_t j;
43280849Scy	u_int8_t s[256];
44280849Scy};
45280849Scy
46258945Srobertostatic pthread_mutex_t	arc4random_mtx = PTHREAD_MUTEX_INITIALIZER;
47258945Sroberto
48258945Sroberto#define	RANDOMDEV	"/dev/urandom"
49258945Sroberto#define	THREAD_LOCK()						\
50258945Sroberto	do {							\
51258945Sroberto		if (__isthreaded)				\
52280849Scy			_pthread_mutex_lock(&arc4random_mtx);	\
53258945Sroberto	} while (0)
54280849Scy
55280849Scy#define	THREAD_UNLOCK()						\
56258945Sroberto	do {							\
57280849Scy		if (__isthreaded)				\
58280849Scy			_pthread_mutex_unlock(&arc4random_mtx);	\
59280849Scy	} while (0)
60258945Sroberto
61258945Srobertostatic struct arc4_stream rs;
62258945Srobertostatic int rs_initialized;
63258945Srobertostatic int rs_stired;
64258945Srobertostatic int arc4_count;
65280849Scy
66280849Scystatic inline u_int8_t arc4_getbyte(struct arc4_stream *);
67280849Scystatic void arc4_stir(struct arc4_stream *);
68280849Scy
69280849Scystatic inline void
70280849Scyarc4_init(struct arc4_stream *as)
71280849Scy{
72280849Scy	int     n;
73280849Scy
74280849Scy	for (n = 0; n < 256; n++)
75280849Scy		as->s[n] = n;
76258945Sroberto	as->i = 0;
77258945Sroberto	as->j = 0;
78280849Scy}
79280849Scy
80280849Scystatic inline void
81280849Scyarc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen)
82280849Scy{
83280849Scy	int     n;
84280849Scy	u_int8_t si;
85280849Scy
86258945Sroberto	as->i--;
87280849Scy	for (n = 0; n < 256; n++) {
88258945Sroberto		as->i = (as->i + 1);
89258945Sroberto		si = as->s[as->i];
90280849Scy		as->j = (as->j + si + dat[n % datlen]);
91280849Scy		as->s[as->i] = as->s[as->j];
92280849Scy		as->s[as->j] = si;
93280849Scy	}
94280849Scy}
95280849Scy
96258945Srobertostatic void
97258945Srobertoarc4_stir(struct arc4_stream *as)
98258945Sroberto{
99280849Scy	int     fd, n;
100258945Sroberto	struct {
101258945Sroberto		struct timeval tv;
102258945Sroberto		pid_t pid;
103280849Scy		u_int8_t rnd[128 - sizeof(struct timeval) - sizeof(pid_t)];
104258945Sroberto	}       rdat;
105258945Sroberto
106280849Scy	gettimeofday(&rdat.tv, NULL);
107280849Scy	rdat.pid = getpid();
108280849Scy	fd = _open(RANDOMDEV, O_RDONLY, 0);
109280849Scy	if (fd >= 0) {
110280849Scy		(void) _read(fd, rdat.rnd, sizeof(rdat.rnd));
111280849Scy		_close(fd);
112280849Scy	}
113280849Scy	/* fd < 0?  Ah, what the heck. We'll just take whatever was on the
114280849Scy	 * stack... */
115280849Scy
116290000Sglebius	arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
117280849Scy
118280849Scy	/*
119280849Scy	 * Throw away the first N bytes of output, as suggested in the
120258945Sroberto	 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
121258945Sroberto	 * by Fluher, Mantin, and Shamir.  N=1024 is based on
122258945Sroberto	 * suggestions in the paper "(Not So) Random Shuffles of RC4"
123258945Sroberto	 * by Ilya Mironov.
124258945Sroberto	 */
125258945Sroberto	for (n = 0; n < 1024; n++)
126258945Sroberto		(void) arc4_getbyte(as);
127258945Sroberto	arc4_count = 400000;
128258945Sroberto}
129258945Sroberto
130258945Srobertostatic inline u_int8_t
131258945Srobertoarc4_getbyte(struct arc4_stream *as)
132280849Scy{
133280849Scy	u_int8_t si, sj;
134280849Scy
135280849Scy	as->i = (as->i + 1);
136258945Sroberto	si = as->s[as->i];
137258945Sroberto	as->j = (as->j + si);
138280849Scy	sj = as->s[as->j];
139293894Sglebius	as->s[as->i] = sj;
140280849Scy	as->s[as->j] = si;
141280849Scy
142280849Scy	return (as->s[(si + sj) & 0xff]);
143280849Scy}
144280849Scy
145280849Scystatic inline u_int32_t
146258945Srobertoarc4_getword(struct arc4_stream *as)
147280849Scy{
148280849Scy	u_int32_t val;
149258945Sroberto
150280849Scy	val = arc4_getbyte(as) << 24;
151280849Scy	val |= arc4_getbyte(as) << 16;
152280849Scy	val |= arc4_getbyte(as) << 8;
153280849Scy	val |= arc4_getbyte(as);
154280849Scy
155280849Scy	return (val);
156280849Scy}
157280849Scy
158258945Srobertostatic void
159258945Srobertoarc4_check_init(void)
160280849Scy{
161280849Scy	if (!rs_initialized) {
162280849Scy		arc4_init(&rs);
163280849Scy		rs_initialized = 1;
164280849Scy	}
165280849Scy}
166280849Scy
167280849Scystatic void
168280849Scyarc4_check_stir(void)
169280849Scy{
170280849Scy	if (!rs_stired || --arc4_count == 0) {
171280849Scy		arc4_stir(&rs);
172280849Scy		rs_stired = 1;
173280849Scy	}
174280849Scy}
175258945Sroberto
176258945Srobertovoid
177258945Srobertoarc4random_stir(void)
178258945Sroberto{
179258945Sroberto	THREAD_LOCK();
180280849Scy	arc4_check_init();
181280849Scy	arc4_stir(&rs);
182280849Scy	THREAD_UNLOCK();
183280849Scy}
184280849Scy
185280849Scyvoid
186280849Scyarc4random_addrandom(u_char *dat, int datlen)
187294904Sdelphij{
188280849Scy	THREAD_LOCK();
189280849Scy	arc4_check_init();
190258945Sroberto	arc4_check_stir();
191258945Sroberto	arc4_addrandom(&rs, dat, datlen);
192258945Sroberto	THREAD_UNLOCK();
193280849Scy}
194280849Scy
195280849Scyu_int32_t
196258945Srobertoarc4random(void)
197280849Scy{
198258945Sroberto	u_int32_t rnd;
199280849Scy
200280849Scy	THREAD_LOCK();
201280849Scy	arc4_check_init();
202280849Scy	arc4_check_stir();
203280849Scy	rnd = arc4_getword(&rs);
204280849Scy	THREAD_UNLOCK();
205280849Scy
206280849Scy	return (rnd);
207280849Scy}
208258945Sroberto
209280849Scy#if 0
210280849Scy/*-------- Test code for i386 --------*/
211280849Scy#include <stdio.h>
212280849Scy#include <machine/pctr.h>
213280849Scyint
214280849Scymain(int argc, char **argv)
215280849Scy{
216280849Scy	const int iter = 1000000;
217280849Scy	int     i;
218280849Scy	pctrval v;
219258945Sroberto
220280849Scy	v = rdtsc();
221258945Sroberto	for (i = 0; i < iter; i++)
222258945Sroberto		arc4random();
223258945Sroberto	v = rdtsc() - v;
224280849Scy	v /= iter;
225280849Scy
226280849Scy	printf("%qd cycles\n", v);
227258945Sroberto}
228258945Sroberto#endif
229258945Sroberto