arc4random.c revision 1.22
1 1.22 roy /* $NetBSD: arc4random.c,v 1.22 2014/06/07 20:55:47 roy Exp $ */ 2 1.1 itojun /* $OpenBSD: arc4random.c,v 1.6 2001/06/05 05:05:38 pvalchev Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Arc4 random number generator for OpenBSD. 6 1.1 itojun * Copyright 1996 David Mazieres <dm (at) lcs.mit.edu>. 7 1.1 itojun * 8 1.1 itojun * Modification and redistribution in source and binary forms is 9 1.1 itojun * permitted provided that due credit is given to the author and the 10 1.1 itojun * OpenBSD project by leaving this copyright notice intact. 11 1.1 itojun */ 12 1.1 itojun 13 1.1 itojun /* 14 1.1 itojun * This code is derived from section 17.1 of Applied Cryptography, 15 1.1 itojun * second edition, which describes a stream cipher allegedly 16 1.1 itojun * compatible with RSA Labs "RC4" cipher (the actual description of 17 1.1 itojun * which is a trade secret). The same algorithm is used as a stream 18 1.1 itojun * cipher called "arcfour" in Tatu Ylonen's ssh package. 19 1.1 itojun * 20 1.1 itojun * Here the stream cipher has been modified always to include the time 21 1.1 itojun * when initializing the state. That makes it impossible to 22 1.1 itojun * regenerate the same random sequence twice, so this can't be used 23 1.1 itojun * for encryption, but will generate good random numbers. 24 1.1 itojun * 25 1.1 itojun * RC4 is a registered trademark of RSA Laboratories. 26 1.1 itojun */ 27 1.1 itojun 28 1.8 lukem #include <sys/cdefs.h> 29 1.8 lukem #if defined(LIBC_SCCS) && !defined(lint) 30 1.22 roy __RCSID("$NetBSD: arc4random.c,v 1.22 2014/06/07 20:55:47 roy Exp $"); 31 1.8 lukem #endif /* LIBC_SCCS and not lint */ 32 1.8 lukem 33 1.7 kleink #include "namespace.h" 34 1.11 tls #include "reentrant.h" 35 1.1 itojun #include <fcntl.h> 36 1.22 roy #include <pthread.h> 37 1.22 roy #include <stdbool.h> 38 1.1 itojun #include <stdlib.h> 39 1.1 itojun #include <unistd.h> 40 1.1 itojun #include <sys/types.h> 41 1.1 itojun #include <sys/param.h> 42 1.1 itojun #include <sys/time.h> 43 1.1 itojun #include <sys/sysctl.h> 44 1.1 itojun 45 1.7 kleink #ifdef __weak_alias 46 1.7 kleink __weak_alias(arc4random,_arc4random) 47 1.20 dsl __weak_alias(arc4random_addrandom,_arc4random_addrandom) 48 1.20 dsl __weak_alias(arc4random_buf,_arc4random_buf) 49 1.20 dsl __weak_alias(arc4random_stir,_arc4random_stir) 50 1.20 dsl __weak_alias(arc4random_uniform,_arc4random_uniform) 51 1.7 kleink #endif 52 1.7 kleink 53 1.1 itojun struct arc4_stream { 54 1.22 roy bool inited; 55 1.10 christos uint8_t i; 56 1.10 christos uint8_t j; 57 1.18 dsl uint8_t s[(uint8_t)~0u + 1u]; /* 256 to you and me */ 58 1.22 roy size_t count; 59 1.18 dsl mutex_t mtx; 60 1.1 itojun }; 61 1.1 itojun 62 1.16 dsl #ifdef _REENTRANT 63 1.22 roy #define LOCK(rs) if (__isthreaded) mutex_lock(&(rs)->mtx); 64 1.22 roy #define UNLOCK(rs) if (__isthreaded) mutex_unlock(&(rs)->mtx); 65 1.16 dsl #else 66 1.22 roy #define LOCK(rs) 67 1.16 dsl #define UNLOCK(rs) 68 1.16 dsl #endif 69 1.16 dsl 70 1.18 dsl #define S(n) (n) 71 1.18 dsl #define S4(n) S(n), S(n + 1), S(n + 2), S(n + 3) 72 1.18 dsl #define S16(n) S4(n), S4(n + 4), S4(n + 8), S4(n + 12) 73 1.18 dsl #define S64(n) S16(n), S16(n + 16), S16(n + 32), S16(n + 48) 74 1.18 dsl #define S256 S64(0), S64(64), S64(128), S64(192) 75 1.18 dsl 76 1.22 roy static struct arc4_stream rs = { .inited = false, 77 1.22 roy .i = 0xff, .j = 0, .s = { S256 }, 78 1.22 roy .count = 0, .mtx = MUTEX_INITIALIZER }; 79 1.18 dsl 80 1.18 dsl #undef S 81 1.18 dsl #undef S4 82 1.18 dsl #undef S16 83 1.18 dsl #undef S64 84 1.18 dsl #undef S256 85 1.1 itojun 86 1.1 itojun static inline void arc4_addrandom(struct arc4_stream *, u_char *, int); 87 1.18 dsl static __noinline void arc4_stir(struct arc4_stream *); 88 1.10 christos static inline uint8_t arc4_getbyte(struct arc4_stream *); 89 1.10 christos static inline uint32_t arc4_getword(struct arc4_stream *); 90 1.1 itojun 91 1.22 roy #ifdef _REENTRANT 92 1.22 roy static void 93 1.22 roy arc4_fork_prepare(void) 94 1.22 roy { 95 1.22 roy 96 1.22 roy LOCK(&rs); 97 1.22 roy } 98 1.22 roy 99 1.22 roy static void 100 1.22 roy arc4_fork_parent(void) 101 1.22 roy { 102 1.22 roy 103 1.22 roy UNLOCK(&rs); 104 1.22 roy } 105 1.22 roy #else 106 1.22 roy #define arc4_fork_prepare NULL 107 1.22 roy #define arc4_fork_parent NULL 108 1.22 roy #endif 109 1.22 roy 110 1.22 roy static void 111 1.22 roy arc4_fork_child(void) 112 1.22 roy { 113 1.22 roy 114 1.22 roy /* Reset the counter to a force new stir after forking */ 115 1.22 roy rs.count = 0; 116 1.22 roy UNLOCK(&rs); 117 1.22 roy } 118 1.22 roy 119 1.22 roy static inline void 120 1.15 dsl arc4_check_init(struct arc4_stream *as) 121 1.15 dsl { 122 1.15 dsl 123 1.22 roy if (__predict_false(!as->inited)) { 124 1.22 roy as->inited = true; 125 1.22 roy pthread_atfork(arc4_fork_prepare, 126 1.22 roy arc4_fork_parent, arc4_fork_child); 127 1.22 roy } 128 1.15 dsl } 129 1.15 dsl 130 1.1 itojun static inline void 131 1.10 christos arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen) 132 1.1 itojun { 133 1.10 christos uint8_t si; 134 1.18 dsl size_t n; 135 1.1 itojun 136 1.18 dsl for (n = 0; n < __arraycount(as->s); n++) { 137 1.1 itojun as->i = (as->i + 1); 138 1.1 itojun si = as->s[as->i]; 139 1.1 itojun as->j = (as->j + si + dat[n % datlen]); 140 1.1 itojun as->s[as->i] = as->s[as->j]; 141 1.1 itojun as->s[as->j] = si; 142 1.1 itojun } 143 1.1 itojun } 144 1.1 itojun 145 1.18 dsl static __noinline void 146 1.10 christos arc4_stir(struct arc4_stream *as) 147 1.1 itojun { 148 1.13 christos int rdat[32]; 149 1.14 dsl int mib[] = { CTL_KERN, KERN_URND }; 150 1.11 tls size_t len; 151 1.14 dsl size_t i, j; 152 1.1 itojun 153 1.22 roy arc4_check_init(as); 154 1.22 roy 155 1.11 tls /* 156 1.11 tls * This code once opened and read /dev/urandom on each 157 1.11 tls * call. That causes repeated rekeying of the kernel stream 158 1.11 tls * generator, which is very wasteful. Because of application 159 1.11 tls * behavior, caching the fd doesn't really help. So we just 160 1.11 tls * fill up the tank from sysctl, which is a tiny bit slower 161 1.11 tls * for us but much friendlier to other entropy consumers. 162 1.11 tls */ 163 1.11 tls 164 1.14 dsl for (i = 0; i < __arraycount(rdat); i++) { 165 1.11 tls len = sizeof(rdat[i]); 166 1.11 tls if (sysctl(mib, 2, &rdat[i], &len, NULL, 0) == -1) 167 1.11 tls abort(); 168 1.1 itojun } 169 1.1 itojun 170 1.13 christos arc4_addrandom(as, (void *) &rdat, (int)sizeof(rdat)); 171 1.3 itojun 172 1.3 itojun /* 173 1.3 itojun * Throw away the first N words of output, as suggested in the 174 1.3 itojun * paper "Weaknesses in the Key Scheduling Algorithm of RC4" 175 1.3 itojun * by Fluher, Mantin, and Shamir. (N = 256 in our case.) 176 1.3 itojun */ 177 1.22 roy for (j = 0; j < __arraycount(as->s) * sizeof(uint32_t); j++) 178 1.3 itojun arc4_getbyte(as); 179 1.18 dsl 180 1.22 roy /* Stir again after swallowing 1600000 bytes or if the pid changes */ 181 1.22 roy as->count = 1600000; 182 1.22 roy } 183 1.22 roy 184 1.22 roy static inline void 185 1.22 roy arc4_stir_if_needed(struct arc4_stream *as, size_t len) 186 1.22 roy { 187 1.22 roy 188 1.22 roy if (__predict_false(as->count <= len)) 189 1.22 roy arc4_stir(as); 190 1.22 roy else 191 1.22 roy as->count -= len; 192 1.1 itojun } 193 1.1 itojun 194 1.21 christos static __inline uint8_t 195 1.17 dsl arc4_getbyte_ij(struct arc4_stream *as, uint8_t *i, uint8_t *j) 196 1.1 itojun { 197 1.10 christos uint8_t si, sj; 198 1.1 itojun 199 1.17 dsl *i = *i + 1; 200 1.17 dsl si = as->s[*i]; 201 1.17 dsl *j = *j + si; 202 1.17 dsl sj = as->s[*j]; 203 1.17 dsl as->s[*i] = sj; 204 1.17 dsl as->s[*j] = si; 205 1.1 itojun return (as->s[(si + sj) & 0xff]); 206 1.1 itojun } 207 1.1 itojun 208 1.17 dsl static inline uint8_t 209 1.17 dsl arc4_getbyte(struct arc4_stream *as) 210 1.17 dsl { 211 1.22 roy 212 1.17 dsl return arc4_getbyte_ij(as, &as->i, &as->j); 213 1.17 dsl } 214 1.17 dsl 215 1.10 christos static inline uint32_t 216 1.10 christos arc4_getword(struct arc4_stream *as) 217 1.1 itojun { 218 1.10 christos uint32_t val; 219 1.22 roy 220 1.1 itojun val = arc4_getbyte(as) << 24; 221 1.1 itojun val |= arc4_getbyte(as) << 16; 222 1.1 itojun val |= arc4_getbyte(as) << 8; 223 1.1 itojun val |= arc4_getbyte(as); 224 1.1 itojun return val; 225 1.1 itojun } 226 1.1 itojun 227 1.16 dsl void 228 1.16 dsl arc4random_stir(void) 229 1.1 itojun { 230 1.22 roy 231 1.16 dsl LOCK(&rs); 232 1.18 dsl arc4_stir(&rs); 233 1.16 dsl UNLOCK(&rs); 234 1.1 itojun } 235 1.1 itojun 236 1.1 itojun void 237 1.16 dsl arc4random_addrandom(u_char *dat, int datlen) 238 1.11 tls { 239 1.22 roy 240 1.16 dsl LOCK(&rs); 241 1.22 roy arc4_stir_if_needed(&rs, datlen); 242 1.11 tls arc4_addrandom(&rs, dat, datlen); 243 1.16 dsl UNLOCK(&rs); 244 1.1 itojun } 245 1.1 itojun 246 1.10 christos uint32_t 247 1.10 christos arc4random(void) 248 1.1 itojun { 249 1.11 tls uint32_t v; 250 1.16 dsl 251 1.16 dsl LOCK(&rs); 252 1.22 roy arc4_stir_if_needed(&rs, sizeof(v)); 253 1.16 dsl v = arc4_getword(&rs); 254 1.16 dsl UNLOCK(&rs); 255 1.11 tls return v; 256 1.1 itojun } 257 1.1 itojun 258 1.16 dsl void 259 1.16 dsl arc4random_buf(void *buf, size_t len) 260 1.10 christos { 261 1.10 christos uint8_t *bp = buf; 262 1.10 christos uint8_t *ep = bp + len; 263 1.17 dsl uint8_t i, j; 264 1.10 christos 265 1.16 dsl LOCK(&rs); 266 1.22 roy arc4_stir_if_needed(&rs, len); 267 1.12 tls 268 1.17 dsl /* cache i and j - compiler can't know 'buf' doesn't alias them */ 269 1.17 dsl i = rs.i; 270 1.17 dsl j = rs.j; 271 1.17 dsl 272 1.10 christos while (bp < ep) 273 1.17 dsl *bp++ = arc4_getbyte_ij(&rs, &i, &j); 274 1.17 dsl rs.i = i; 275 1.17 dsl rs.j = j; 276 1.17 dsl 277 1.16 dsl UNLOCK(&rs); 278 1.11 tls } 279 1.11 tls 280 1.10 christos /*- 281 1.10 christos * Written by Damien Miller. 282 1.10 christos * With simplifications by Jinmei Tatuya. 283 1.10 christos */ 284 1.10 christos 285 1.10 christos /* 286 1.10 christos * Calculate a uniformly distributed random number less than 287 1.10 christos * upper_bound avoiding "modulo bias". 288 1.10 christos * 289 1.10 christos * Uniformity is achieved by generating new random numbers 290 1.10 christos * until the one returned is outside the range 291 1.10 christos * [0, 2^32 % upper_bound[. This guarantees the selected 292 1.10 christos * random number will be inside the range 293 1.10 christos * [2^32 % upper_bound, 2^32[ which maps back to 294 1.10 christos * [0, upper_bound[ after reduction modulo upper_bound. 295 1.10 christos */ 296 1.16 dsl uint32_t 297 1.16 dsl arc4random_uniform(uint32_t upper_bound) 298 1.10 christos { 299 1.10 christos uint32_t r, min; 300 1.10 christos 301 1.10 christos if (upper_bound < 2) 302 1.10 christos return 0; 303 1.10 christos 304 1.10 christos /* calculate (2^32 % upper_bound) avoiding 64-bit math */ 305 1.16 dsl /* ((2^32 - x) % x) == (2^32 % x) when x <= 2^31 */ 306 1.16 dsl min = (0xFFFFFFFFU - upper_bound + 1) % upper_bound; 307 1.16 dsl 308 1.16 dsl LOCK(&rs); 309 1.22 roy arc4_stir_if_needed(&rs, sizeof(r)); 310 1.16 dsl 311 1.10 christos /* 312 1.10 christos * This could theoretically loop forever but each retry has 313 1.10 christos * p > 0.5 (worst case, usually far better) of selecting a 314 1.10 christos * number inside the range we need, so it should rarely need 315 1.10 christos * to re-roll (at all). 316 1.10 christos */ 317 1.10 christos do 318 1.10 christos r = arc4_getword(&rs); 319 1.10 christos while (r < min); 320 1.16 dsl UNLOCK(&rs); 321 1.10 christos 322 1.10 christos return r % upper_bound; 323 1.10 christos } 324
Indexes created Sun Sep 21 20:09:37 GMT 2025