sys/libkern/arc4random.c

   1 /*-
   2  * THE BEER-WARE LICENSE
   3  *
   4  * <dan@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
   5  * can do whatever you want with this stuff.  If we meet some day, and you
   6  * think this stuff is worth it, you can buy me a beer in return.
   7  *
   8  * Dan Moschuk
   9  *
  10  * $FreeBSD: src/sys/libkern/arc4random.c,v 1.3.2.2 2001/09/17 07:06:50 silby Exp $
  11  * $DragonFly: src/sys/libkern/arc4random.c,v 1.3 2006/09/03 17:31:55 dillon Exp $
  12  */
  13
  14 #include <sys/types.h>
  15 #include <sys/random.h>
  16 #include <sys/libkern.h>
  17 #include <sys/time.h>
  18
  19 #define ARC4_MAXRUNS 16384
  20 #define ARC4_RESEED_SECONDS 300
  21 #define ARC4_KEYBYTES 32 /* 256 bit key */
  22
  23 static u_int8_t arc4_i, arc4_j;
  24 static int arc4_initialized = 0;
  25 static int arc4_numruns = 0;
  26 static u_int8_t arc4_sbox[256];
  27 static struct timeval arc4_tv_nextreseed;
  28
  29 static u_int8_t arc4_randbyte(void);
  30
  31 static __inline void
  32 arc4_swap(u_int8_t *a, u_int8_t *b)
  33 {
  34         u_int8_t c;
  35
  36         c = *a;
  37         *a = *b;
  38         *b = c;
  39 }
  40
  41 /*
  42  * Stir our S-box.
  43  */
  44 static void
  45 arc4_randomstir (void)
  46 {
  47         u_int8_t key[256];
  48         int r, n;
  49
  50         /*
  51          * XXX read_random() returns unsafe numbers if the entropy
  52          * device is not loaded -- MarkM.
  53          */
  54         r = read_random_unlimited(key, ARC4_KEYBYTES);
  55         /* If r == 0 || -1, just use what was on the stack. */
  56         if (r > 0)
  57         {
  58                 for (n = r; n < sizeof(key); n++)
  59                         key[n] = key[n % r];
  60         }
  61
  62         for (n = 0; n < 256; n++)
  63         {
  64                 arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
  65                 arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
  66         }
  67
  68         /* Reset for next reseed cycle. */
  69         getmicrotime(&arc4_tv_nextreseed);
  70         arc4_tv_nextreseed.tv_sec += ARC4_RESEED_SECONDS;
  71         arc4_numruns = 0;
  72 }
  73
  74 /*
  75  * Initialize our S-box to its beginning defaults.
  76  */
  77 static void
  78 arc4_init(void)
  79 {
  80         int n;
  81
  82         arc4_i = arc4_j = 0;
  83         for (n = 0; n < 256; n++)
  84                 arc4_sbox[n] = (u_int8_t) n;
  85
  86         arc4_randomstir();
  87         arc4_initialized = 1;
  88
  89         /*
  90          * Throw away the first N words of output, as suggested in the
  91          * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
  92          * by Fluher, Mantin, and Shamir.  (N = 256 in our case.)
  93          */
  94         for (n = 0; n < 256*4; n++)
  95                 arc4_randbyte();
  96 }
  97
  98 /*
  99  * Generate a random byte.
 100  */
 101 static u_int8_t
 102 arc4_randbyte(void)
 103 {
 104         u_int8_t arc4_t;
 105
 106         arc4_i = (arc4_i + 1) % 256;
 107         arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256;
 108
 109         arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]);
 110
 111         arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256;
 112         return arc4_sbox[arc4_t];
 113 }
 114
 115 u_int32_t
 116 karc4random(void)
 117 {
 118         u_int32_t ret;
 119         struct timeval tv_now;
 120
 121         /* Initialize array if needed. */
 122         if (!arc4_initialized)
 123                 arc4_init();
 124
 125         getmicrotime(&tv_now);
 126         if ((++arc4_numruns > ARC4_MAXRUNS) ||
 127             (tv_now.tv_sec > arc4_tv_nextreseed.tv_sec))
 128         {
 129                 arc4_randomstir();
 130         }
 131
 132         ret = arc4_randbyte();
 133         ret |= arc4_randbyte() << 8;
 134         ret |= arc4_randbyte() << 16;
 135         ret |= arc4_randbyte() << 24;
 136
 137         return ret;
 138 }