arc4random.c revision 1.19
1 /* $NetBSD: arc4random.c,v 1.19 2012/08/20 20:32:09 dsl Exp $ */ 2 /* $OpenBSD: arc4random.c,v 1.6 2001/06/05 05:05:38 pvalchev Exp $ */ 3 4 /* 5 * Arc4 random number generator for OpenBSD. 6 * Copyright 1996 David Mazieres <dm (at) lcs.mit.edu>. 7 * 8 * Modification and redistribution in source and binary forms is 9 * permitted provided that due credit is given to the author and the 10 * OpenBSD project by leaving this copyright notice intact. 11 */ 12 13 /* 14 * This code is derived from section 17.1 of Applied Cryptography, 15 * second edition, which describes a stream cipher allegedly 16 * compatible with RSA Labs "RC4" cipher (the actual description of 17 * which is a trade secret). The same algorithm is used as a stream 18 * cipher called "arcfour" in Tatu Ylonen's ssh package. 19 * 20 * Here the stream cipher has been modified always to include the time 21 * when initializing the state. That makes it impossible to 22 * regenerate the same random sequence twice, so this can't be used 23 * for encryption, but will generate good random numbers. 24 * 25 * RC4 is a registered trademark of RSA Laboratories. 26 */ 27 28 #include <sys/cdefs.h> 29 #if defined(LIBC_SCCS) && !defined(lint) 30 __RCSID("$NetBSD: arc4random.c,v 1.19 2012/08/20 20:32:09 dsl Exp $"); 31 #endif /* LIBC_SCCS and not lint */ 32 33 #include "namespace.h" 34 #include "reentrant.h" 35 #include <fcntl.h> 36 #include <stdlib.h> 37 #include <unistd.h> 38 #include <sys/types.h> 39 #include <sys/param.h> 40 #include <sys/time.h> 41 #include <sys/sysctl.h> 42 43 #ifdef __weak_alias 44 __weak_alias(arc4random,_arc4random) 45 #endif 46 47 struct arc4_stream { 48 uint8_t stirred; 49 uint8_t pad; 50 uint8_t i; 51 uint8_t j; 52 uint8_t s[(uint8_t)~0u + 1u]; /* 256 to you and me */ 53 mutex_t mtx; 54 }; 55 56 #ifdef _REENTRANT 57 #define LOCK(rs) { \ 58 int isthreaded = __isthreaded; \ 59 if (isthreaded) \ 60 mutex_lock(&(rs)->mtx); 61 #define UNLOCK(rs) \ 62 if (isthreaded) \ 63 mutex_unlock(&(rs)->mtx); \ 64 } 65 #else 66 #define LOCK(rs) 67 #define UNLOCK(rs) 68 #endif 69 70 #define S(n) (n) 71 #define S4(n) S(n), S(n + 1), S(n + 2), S(n + 3) 72 #define S16(n) S4(n), S4(n + 4), S4(n + 8), S4(n + 12) 73 #define S64(n) S16(n), S16(n + 16), S16(n + 32), S16(n + 48) 74 #define S256 S64(0), S64(64), S64(128), S64(192) 75 76 static struct arc4_stream rs = { .i = 0xff, .j = 0, .s = { S256 }, 77 .stirred = 0, .mtx = MUTEX_INITIALIZER }; 78 79 #undef S 80 #undef S4 81 #undef S16 82 #undef S64 83 #undef S256 84 85 static inline void arc4_addrandom(struct arc4_stream *, u_char *, int); 86 static __noinline void arc4_stir(struct arc4_stream *); 87 static inline uint8_t arc4_getbyte(struct arc4_stream *); 88 static inline uint32_t arc4_getword(struct arc4_stream *); 89 90 static inline int 91 arc4_check_init(struct arc4_stream *as) 92 { 93 if (__predict_true(rs.stirred)) 94 return 0; 95 96 arc4_stir(as); 97 return 1; 98 } 99 100 static inline void 101 arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen) 102 { 103 uint8_t si; 104 size_t n; 105 106 for (n = 0; n < __arraycount(as->s); n++) { 107 as->i = (as->i + 1); 108 si = as->s[as->i]; 109 as->j = (as->j + si + dat[n % datlen]); 110 as->s[as->i] = as->s[as->j]; 111 as->s[as->j] = si; 112 } 113 } 114 115 static __noinline void 116 arc4_stir(struct arc4_stream *as) 117 { 118 int rdat[32]; 119 int mib[] = { CTL_KERN, KERN_URND }; 120 size_t len; 121 size_t i, j; 122 123 /* 124 * This code once opened and read /dev/urandom on each 125 * call. That causes repeated rekeying of the kernel stream 126 * generator, which is very wasteful. Because of application 127 * behavior, caching the fd doesn't really help. So we just 128 * fill up the tank from sysctl, which is a tiny bit slower 129 * for us but much friendlier to other entropy consumers. 130 */ 131 132 for (i = 0; i < __arraycount(rdat); i++) { 133 len = sizeof(rdat[i]); 134 if (sysctl(mib, 2, &rdat[i], &len, NULL, 0) == -1) 135 abort(); 136 } 137 138 arc4_addrandom(as, (void *) &rdat, (int)sizeof(rdat)); 139 140 /* 141 * Throw away the first N words of output, as suggested in the 142 * paper "Weaknesses in the Key Scheduling Algorithm of RC4" 143 * by Fluher, Mantin, and Shamir. (N = 256 in our case.) 144 */ 145 for (j = 0; j < __arraycount(as->s) * 4; j++) 146 arc4_getbyte(as); 147 148 as->stirred = 1; 149 } 150 151 static __always_inline uint8_t 152 arc4_getbyte_ij(struct arc4_stream *as, uint8_t *i, uint8_t *j) 153 { 154 uint8_t si, sj; 155 156 *i = *i + 1; 157 si = as->s[*i]; 158 *j = *j + si; 159 sj = as->s[*j]; 160 as->s[*i] = sj; 161 as->s[*j] = si; 162 return (as->s[(si + sj) & 0xff]); 163 } 164 165 static inline uint8_t 166 arc4_getbyte(struct arc4_stream *as) 167 { 168 return arc4_getbyte_ij(as, &as->i, &as->j); 169 } 170 171 static inline uint32_t 172 arc4_getword(struct arc4_stream *as) 173 { 174 uint32_t val; 175 val = arc4_getbyte(as) << 24; 176 val |= arc4_getbyte(as) << 16; 177 val |= arc4_getbyte(as) << 8; 178 val |= arc4_getbyte(as); 179 return val; 180 } 181 182 void 183 arc4random_stir(void) 184 { 185 LOCK(&rs); 186 arc4_stir(&rs); 187 UNLOCK(&rs); 188 } 189 190 void 191 arc4random_addrandom(u_char *dat, int datlen) 192 { 193 LOCK(&rs); 194 arc4_check_init(&rs); 195 arc4_addrandom(&rs, dat, datlen); 196 UNLOCK(&rs); 197 } 198 199 uint32_t 200 arc4random(void) 201 { 202 uint32_t v; 203 204 LOCK(&rs); 205 arc4_check_init(&rs); 206 v = arc4_getword(&rs); 207 UNLOCK(&rs); 208 return v; 209 } 210 211 void 212 arc4random_buf(void *buf, size_t len) 213 { 214 uint8_t *bp = buf; 215 uint8_t *ep = bp + len; 216 uint8_t i, j; 217 218 LOCK(&rs); 219 arc4_check_init(&rs); 220 221 /* cache i and j - compiler can't know 'buf' doesn't alias them */ 222 i = rs.i; 223 j = rs.j; 224 225 while (bp < ep) 226 *bp++ = arc4_getbyte_ij(&rs, &i, &j); 227 rs.i = i; 228 rs.j = j; 229 230 UNLOCK(&rs); 231 } 232 233 /*- 234 * Written by Damien Miller. 235 * With simplifications by Jinmei Tatuya. 236 */ 237 238 /* 239 * Calculate a uniformly distributed random number less than 240 * upper_bound avoiding "modulo bias". 241 * 242 * Uniformity is achieved by generating new random numbers 243 * until the one returned is outside the range 244 * [0, 2^32 % upper_bound[. This guarantees the selected 245 * random number will be inside the range 246 * [2^32 % upper_bound, 2^32[ which maps back to 247 * [0, upper_bound[ after reduction modulo upper_bound. 248 */ 249 uint32_t 250 arc4random_uniform(uint32_t upper_bound) 251 { 252 uint32_t r, min; 253 254 if (upper_bound < 2) 255 return 0; 256 257 /* calculate (2^32 % upper_bound) avoiding 64-bit math */ 258 /* ((2^32 - x) % x) == (2^32 % x) when x <= 2^31 */ 259 min = (0xFFFFFFFFU - upper_bound + 1) % upper_bound; 260 261 LOCK(&rs); 262 arc4_check_init(&rs); 263 264 /* 265 * This could theoretically loop forever but each retry has 266 * p > 0.5 (worst case, usually far better) of selecting a 267 * number inside the range we need, so it should rarely need 268 * to re-roll (at all). 269 */ 270 do 271 r = arc4_getword(&rs); 272 while (r < min); 273 UNLOCK(&rs); 274 275 return r % upper_bound; 276 } 277
Indexes created Mon Sep 29 21:09:56 GMT 2025