2 * THE BEER-WARE LICENSE
4 * <dan@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you
6 * think this stuff is worth it, you can buy me a beer in return.
10 #if !defined(SOLARIS2) && !defined(__osf__)
11 # include <sys/cdefs.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
17 # include <sys/kernel.h>
20 # include <sys/random.h>
23 # include <sys/libkern.h>
27 # include <sys/mutex.h>
31 #if defined(SOLARIS2) && (SOLARIS2 < 9)
32 # include <netinet/in_systm.h>
34 #include <sys/socket.h>
37 # include <net/route.h>
39 #include <netinet/in.h>
40 #include <netinet/ip.h>
41 #include "netinet/ip_compat.h"
48 #ifdef NEED_LOCAL_RAND
49 #if !defined(__GNUC__)
53 #define ARC4_RESEED_BYTES 65536
54 #define ARC4_RESEED_SECONDS 300
55 #define ARC4_KEYBYTES (256 / 8)
57 static u_int8_t arc4_i, arc4_j;
58 static int arc4_numruns = 0;
59 static u_int8_t arc4_sbox[256];
60 static time_t arc4_t_reseed;
61 static ipfmutex_t arc4_mtx;
62 static MD5_CTX md5ctx;
64 static u_int8_t arc4_randbyte(void);
65 static int ipf_read_random(void *dest, int length);
68 arc4_swap(u_int8_t *a, u_int8_t *b)
81 arc4_randomstir (void)
85 struct timeval tv_now;
88 * XXX read_random() returns unsafe numbers if the entropy
89 * device is not loaded -- MarkM.
91 r = ipf_read_random(key, ARC4_KEYBYTES);
93 MUTEX_ENTER(&arc4_mtx);
94 /* If r == 0 || -1, just use what was on the stack. */
96 for (n = r; n < sizeof(key); n++)
100 for (n = 0; n < 256; n++) {
101 arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
102 arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
105 /* Reset for next reseed cycle. */
106 arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
110 * Throw away the first N words of output, as suggested in the
111 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
112 * by Fluher, Mantin, and Shamir. (N = 256 in our case.)
114 for (n = 0; n < 256*4; n++)
116 MUTEX_EXIT(&arc4_mtx);
120 * Initialize our S-box to its beginning defaults.
129 MUTEX_INIT(&arc4_mtx, "arc4_mtx");
131 for (n = 0; n < 256; n++)
132 arc4_sbox[n] = (u_int8_t) n;
139 * Generate a random byte.
146 arc4_i = (arc4_i + 1) % 256;
147 arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256;
149 arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]);
151 arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256;
152 return arc4_sbox[arc4_t];
159 arc4rand(void *ptr, u_int len, int reseed)
166 (arc4_numruns > ARC4_RESEED_BYTES) ||
167 (tv.tv_sec > arc4_t_reseed))
170 MUTEX_ENTER(&arc4_mtx);
174 *p++ = arc4_randbyte();
175 MUTEX_EXIT(&arc4_mtx);
183 arc4rand(&ret, sizeof ret, 0);
188 static u_char pot[ARC4_RESEED_BYTES];
189 static u_char *pothead = pot, *pottail = pot;
190 static int inpot = 0;
193 * This is not very strong, and this is understood, but the aim isn't to
194 * be cryptographically strong - it is just to make up something that is
198 ipf_rand_push(void *src, int length)
200 static int arc4_inited = 0;
204 if (arc4_inited == 0) {
210 MD5Update(&md5ctx, src, length);
217 #if defined(_SYS_MD5_H) && defined(SOLARIS2)
218 # define buf buf_un.buf8
220 MUTEX_ENTER(&arc4_mtx);
221 while ((mylen > 64) && (sizeof(pot) - inpot > sizeof(md5ctx.buf))) {
222 MD5Update(&md5ctx, nsrc, 64);
225 if (pottail + sizeof(md5ctx.buf) > pot + sizeof(pot)) {
228 numbytes = pot + sizeof(pot) - pottail;
229 bcopy(md5ctx.buf, pottail, numbytes);
230 left = sizeof(md5ctx.buf) - numbytes;
232 bcopy(md5ctx.buf + sizeof(md5ctx.buf) - left,
236 bcopy(md5ctx.buf, pottail, sizeof(md5ctx.buf));
237 pottail += sizeof(md5ctx.buf);
241 MUTEX_EXIT(&arc4_mtx);
242 #if defined(_SYS_MD5_H) && defined(SOLARIS2)
249 ipf_read_random(void *dest, int length)
254 MUTEX_ENTER(&arc4_mtx);
255 if (pothead + length > pot + sizeof(pot)) {
259 numbytes = pot + sizeof(pot) - pothead;
260 bcopy(pothead, dest, numbytes);
263 bcopy(pothead, dest + length - left, left);
266 bcopy(pothead, dest, length);
271 pothead = pottail = pot;
272 MUTEX_EXIT(&arc4_mtx);
277 #endif /* NEED_LOCAL_RAND */