arc4random.c revision 1.17
1 /* $NetBSD: arc4random.c,v 1.17 2012/08/18 15:55:07 dsl Exp $ */ 2 /* $OpenBSD: arc4random.c,v 1.6 2001/06/05 05:05:38 pvalchev Exp $ */ 3 4 /* 5 * Arc4 random number generator for OpenBSD. 6 * Copyright 1996 David Mazieres <dm (at) lcs.mit.edu>. 7 * 8 * Modification and redistribution in source and binary forms is 9 * permitted provided that due credit is given to the author and the 10 * OpenBSD project by leaving this copyright notice intact. 11 */ 12 13 /* 14 * This code is derived from section 17.1 of Applied Cryptography, 15 * second edition, which describes a stream cipher allegedly 16 * compatible with RSA Labs "RC4" cipher (the actual description of 17 * which is a trade secret). The same algorithm is used as a stream 18 * cipher called "arcfour" in Tatu Ylonen's ssh package. 19 * 20 * Here the stream cipher has been modified always to include the time 21 * when initializing the state. That makes it impossible to 22 * regenerate the same random sequence twice, so this can't be used 23 * for encryption, but will generate good random numbers. 24 * 25 * RC4 is a registered trademark of RSA Laboratories. 26 */ 27 28 #include <sys/cdefs.h> 29 #if defined(LIBC_SCCS) && !defined(lint) 30 __RCSID("$NetBSD: arc4random.c,v 1.17 2012/08/18 15:55:07 dsl Exp $"); 31 #endif /* LIBC_SCCS and not lint */ 32 33 #include "namespace.h" 34 #include "reentrant.h" 35 #include <fcntl.h> 36 #include <stdlib.h> 37 #include <unistd.h> 38 #include <sys/types.h> 39 #include <sys/param.h> 40 #include <sys/time.h> 41 #include <sys/sysctl.h> 42 43 #ifdef __weak_alias 44 __weak_alias(arc4random,_arc4random) 45 #endif 46 47 #define RSIZE 256 48 struct arc4_stream { 49 mutex_t mtx; 50 int initialized; 51 uint8_t i; 52 uint8_t j; 53 uint8_t s[RSIZE]; 54 }; 55 56 #ifdef _REENTRANT 57 #define LOCK(rs) { \ 58 int isthreaded = __isthreaded; \ 59 if (isthreaded) \ 60 mutex_lock(&(rs)->mtx); 61 #define UNLOCK(rs) \ 62 if (isthreaded) \ 63 mutex_unlock(&(rs)->mtx); \ 64 } 65 #else 66 #define LOCK(rs) 67 #define UNLOCK(rs) 68 #endif 69 70 71 /* XXX lint explodes with an internal error if only mtx is initialized! */ 72 static struct arc4_stream rs = { .i = 0, .mtx = MUTEX_INITIALIZER }; 73 74 static inline void arc4_addrandom(struct arc4_stream *, u_char *, int); 75 static void arc4_stir(struct arc4_stream *); 76 static inline uint8_t arc4_getbyte(struct arc4_stream *); 77 static inline uint32_t arc4_getword(struct arc4_stream *); 78 79 static __noinline void 80 arc4_init(struct arc4_stream *as) 81 { 82 int n; 83 for (n = 0; n < RSIZE; n++) 84 as->s[n] = n; 85 as->i = 0; 86 as->j = 0; 87 88 as->initialized = 1; 89 arc4_stir(as); 90 } 91 92 static inline int 93 arc4_check_init(struct arc4_stream *as) 94 { 95 if (__predict_true(rs.initialized)) 96 return 0; 97 98 arc4_init(as); 99 return 1; 100 } 101 102 static inline void 103 arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen) 104 { 105 uint8_t si; 106 int n; 107 108 as->i--; 109 for (n = 0; n < RSIZE; n++) { 110 as->i = (as->i + 1); 111 si = as->s[as->i]; 112 as->j = (as->j + si + dat[n % datlen]); 113 as->s[as->i] = as->s[as->j]; 114 as->s[as->j] = si; 115 } 116 as->j = as->i; 117 } 118 119 static void 120 arc4_stir(struct arc4_stream *as) 121 { 122 int rdat[32]; 123 int mib[] = { CTL_KERN, KERN_URND }; 124 size_t len; 125 size_t i, j; 126 127 /* 128 * This code once opened and read /dev/urandom on each 129 * call. That causes repeated rekeying of the kernel stream 130 * generator, which is very wasteful. Because of application 131 * behavior, caching the fd doesn't really help. So we just 132 * fill up the tank from sysctl, which is a tiny bit slower 133 * for us but much friendlier to other entropy consumers. 134 */ 135 136 for (i = 0; i < __arraycount(rdat); i++) { 137 len = sizeof(rdat[i]); 138 if (sysctl(mib, 2, &rdat[i], &len, NULL, 0) == -1) 139 abort(); 140 } 141 142 arc4_addrandom(as, (void *) &rdat, (int)sizeof(rdat)); 143 144 /* 145 * Throw away the first N words of output, as suggested in the 146 * paper "Weaknesses in the Key Scheduling Algorithm of RC4" 147 * by Fluher, Mantin, and Shamir. (N = 256 in our case.) 148 */ 149 for (j = 0; j < RSIZE * 4; j++) 150 arc4_getbyte(as); 151 } 152 153 static __always_inline uint8_t 154 arc4_getbyte_ij(struct arc4_stream *as, uint8_t *i, uint8_t *j) 155 { 156 uint8_t si, sj; 157 158 *i = *i + 1; 159 si = as->s[*i]; 160 *j = *j + si; 161 sj = as->s[*j]; 162 as->s[*i] = sj; 163 as->s[*j] = si; 164 return (as->s[(si + sj) & 0xff]); 165 } 166 167 static inline uint8_t 168 arc4_getbyte(struct arc4_stream *as) 169 { 170 return arc4_getbyte_ij(as, &as->i, &as->j); 171 } 172 173 static inline uint32_t 174 arc4_getword(struct arc4_stream *as) 175 { 176 uint32_t val; 177 val = arc4_getbyte(as) << 24; 178 val |= arc4_getbyte(as) << 16; 179 val |= arc4_getbyte(as) << 8; 180 val |= arc4_getbyte(as); 181 return val; 182 } 183 184 void 185 arc4random_stir(void) 186 { 187 LOCK(&rs); 188 if (__predict_false(!arc4_check_init(&rs))) /* init() stirs */ 189 arc4_stir(&rs); 190 UNLOCK(&rs); 191 } 192 193 void 194 arc4random_addrandom(u_char *dat, int datlen) 195 { 196 LOCK(&rs); 197 arc4_check_init(&rs); 198 arc4_addrandom(&rs, dat, datlen); 199 UNLOCK(&rs); 200 } 201 202 uint32_t 203 arc4random(void) 204 { 205 uint32_t v; 206 207 LOCK(&rs); 208 arc4_check_init(&rs); 209 v = arc4_getword(&rs); 210 UNLOCK(&rs); 211 return v; 212 } 213 214 void 215 arc4random_buf(void *buf, size_t len) 216 { 217 uint8_t *bp = buf; 218 uint8_t *ep = bp + len; 219 uint8_t i, j; 220 int skip; 221 222 LOCK(&rs); 223 arc4_check_init(&rs); 224 225 /* cache i and j - compiler can't know 'buf' doesn't alias them */ 226 i = rs.i; 227 j = rs.j; 228 229 skip = arc4_getbyte_ij(&rs, &i, &j) % 3; 230 while (skip--) 231 (void)arc4_getbyte_ij(&rs, &i, &j); 232 233 while (bp < ep) 234 *bp++ = arc4_getbyte_ij(&rs, &i, &j); 235 rs.i = i; 236 rs.j = j; 237 238 UNLOCK(&rs); 239 } 240 241 /*- 242 * Written by Damien Miller. 243 * With simplifications by Jinmei Tatuya. 244 */ 245 246 /* 247 * Calculate a uniformly distributed random number less than 248 * upper_bound avoiding "modulo bias". 249 * 250 * Uniformity is achieved by generating new random numbers 251 * until the one returned is outside the range 252 * [0, 2^32 % upper_bound[. This guarantees the selected 253 * random number will be inside the range 254 * [2^32 % upper_bound, 2^32[ which maps back to 255 * [0, upper_bound[ after reduction modulo upper_bound. 256 */ 257 uint32_t 258 arc4random_uniform(uint32_t upper_bound) 259 { 260 uint32_t r, min; 261 262 if (upper_bound < 2) 263 return 0; 264 265 /* calculate (2^32 % upper_bound) avoiding 64-bit math */ 266 /* ((2^32 - x) % x) == (2^32 % x) when x <= 2^31 */ 267 min = (0xFFFFFFFFU - upper_bound + 1) % upper_bound; 268 269 LOCK(&rs); 270 arc4_check_init(&rs); 271 272 if (arc4_getbyte(&rs) & 1) 273 (void)arc4_getbyte(&rs); 274 275 /* 276 * This could theoretically loop forever but each retry has 277 * p > 0.5 (worst case, usually far better) of selecting a 278 * number inside the range we need, so it should rarely need 279 * to re-roll (at all). 280 */ 281 do 282 r = arc4_getword(&rs); 283 while (r < min); 284 UNLOCK(&rs); 285 286 return r % upper_bound; 287 } 288
Indexes created Mon Sep 29 21:09:56 GMT 2025