2 * THE BEER-WARE LICENSE
4 * <dan@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you
6 * think this stuff is worth it, you can buy me a beer in return.
10 #if !defined(SOLARIS2)
11 # include <sys/cdefs.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
17 # include <sys/kernel.h>
19 # include <sys/random.h>
21 # include <sys/libkern.h>
24 # include <sys/mutex.h>
27 #include <sys/socket.h>
29 #include <netinet/in.h>
30 #include <netinet/ip.h>
31 #include "netinet/ip_compat.h"
38 #ifdef NEED_LOCAL_RAND
39 #if !defined(__GNUC__)
43 #define ARC4_RESEED_BYTES 65536
44 #define ARC4_RESEED_SECONDS 300
45 #define ARC4_KEYBYTES (256 / 8)
47 static u_int8_t arc4_i, arc4_j;
48 static int arc4_numruns = 0;
49 static u_int8_t arc4_sbox[256];
50 static time_t arc4_t_reseed;
51 static ipfmutex_t arc4_mtx;
52 static MD5_CTX md5ctx;
54 static u_int8_t arc4_randbyte(void);
55 static int ipf_read_random(void *dest, int length);
58 arc4_swap(u_int8_t *a, u_int8_t *b)
71 arc4_randomstir (void)
75 struct timeval tv_now;
78 * XXX read_random() returns unsafe numbers if the entropy
79 * device is not loaded -- MarkM.
81 r = ipf_read_random(key, ARC4_KEYBYTES);
83 MUTEX_ENTER(&arc4_mtx);
84 /* If r == 0 || -1, just use what was on the stack. */
86 for (n = r; n < sizeof(key); n++)
90 for (n = 0; n < 256; n++) {
91 arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
92 arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
95 /* Reset for next reseed cycle. */
96 arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
100 * Throw away the first N words of output, as suggested in the
101 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
102 * by Fluher, Mantin, and Shamir. (N = 768 in our case.)
104 for (n = 0; n < 768*4; n++)
106 MUTEX_EXIT(&arc4_mtx);
110 * Initialize our S-box to its beginning defaults.
119 MUTEX_INIT(&arc4_mtx, "arc4_mtx");
121 for (n = 0; n < 256; n++)
122 arc4_sbox[n] = (u_int8_t) n;
129 * Generate a random byte.
136 arc4_i = (arc4_i + 1) % 256;
137 arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256;
139 arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]);
141 arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256;
142 return arc4_sbox[arc4_t];
149 arc4rand(void *ptr, u_int len, int reseed)
156 (arc4_numruns > ARC4_RESEED_BYTES) ||
157 (tv.tv_sec > arc4_t_reseed))
160 MUTEX_ENTER(&arc4_mtx);
164 *p++ = arc4_randbyte();
165 MUTEX_EXIT(&arc4_mtx);
173 arc4rand(&ret, sizeof ret, 0);
178 static u_char pot[ARC4_RESEED_BYTES];
179 static u_char *pothead = pot, *pottail = pot;
180 static int inpot = 0;
183 * This is not very strong, and this is understood, but the aim isn't to
184 * be cryptographically strong - it is just to make up something that is
188 ipf_rand_push(void *src, int length)
190 static int arc4_inited = 0;
194 if (arc4_inited == 0) {
200 MD5Update(&md5ctx, src, length);
207 #if defined(_SYS_MD5_H) && defined(SOLARIS2)
208 # define buf buf_un.buf8
210 MUTEX_ENTER(&arc4_mtx);
211 while ((mylen > 64) && (sizeof(pot) - inpot > sizeof(md5ctx.buf))) {
212 MD5Update(&md5ctx, nsrc, 64);
215 if (pottail + sizeof(md5ctx.buf) > pot + sizeof(pot)) {
218 numbytes = pot + sizeof(pot) - pottail;
219 bcopy(md5ctx.buf, pottail, numbytes);
220 left = sizeof(md5ctx.buf) - numbytes;
222 bcopy(md5ctx.buf + sizeof(md5ctx.buf) - left,
226 bcopy(md5ctx.buf, pottail, sizeof(md5ctx.buf));
227 pottail += sizeof(md5ctx.buf);
231 MUTEX_EXIT(&arc4_mtx);
232 #if defined(_SYS_MD5_H) && defined(SOLARIS2)
239 ipf_read_random(void *dest, int length)
244 MUTEX_ENTER(&arc4_mtx);
245 if (pothead + length > pot + sizeof(pot)) {
249 numbytes = pot + sizeof(pot) - pothead;
250 bcopy(pothead, dest, numbytes);
253 bcopy(pothead, dest + length - left, left);
256 bcopy(pothead, dest, length);
261 pothead = pottail = pot;
262 MUTEX_EXIT(&arc4_mtx);
267 #endif /* NEED_LOCAL_RAND */