2 * Arc4 random number generator for OpenBSD.
3 * Copyright 1996 David Mazieres <dm@lcs.mit.edu>.
5 * Modification and redistribution in source and binary forms is
6 * permitted provided that due credit is given to the author and the
7 * OpenBSD project (for instance by leaving this copyright notice
12 * This code is derived from section 17.1 of Applied Cryptography,
13 * second edition, which describes a stream cipher allegedly
14 * compatible with RSA Labs "RC4" cipher (the actual description of
15 * which is a trade secret). The same algorithm is used as a stream
16 * cipher called "arcfour" in Tatu Ylonen's ssh package.
18 * Here the stream cipher has been modified always to include the time
19 * when initializing the state. That makes it impossible to
20 * regenerate the same random sequence twice, so this can't be used
21 * for encryption, but will generate good random numbers.
23 * RC4 is a registered trademark of RSA Laboratories.
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
29 #include "namespace.h"
30 #include <sys/types.h>
37 #include "libc_private.h"
38 #include "un-namespace.h"
46 static pthread_mutex_t arc4random_mtx = PTHREAD_MUTEX_INITIALIZER;
48 #define RANDOMDEV "/dev/urandom"
49 #define THREAD_LOCK() \
52 _pthread_mutex_lock(&arc4random_mtx); \
55 #define THREAD_UNLOCK() \
58 _pthread_mutex_unlock(&arc4random_mtx); \
61 static struct arc4_stream rs;
62 static int rs_initialized;
64 static int arc4_count;
66 static inline u_int8_t arc4_getbyte(struct arc4_stream *);
67 static void arc4_stir(struct arc4_stream *);
70 arc4_init(struct arc4_stream *as)
74 for (n = 0; n < 256; n++)
81 arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen)
87 for (n = 0; n < 256; n++) {
90 as->j = (as->j + si + dat[n % datlen]);
91 as->s[as->i] = as->s[as->j];
97 arc4_stir(struct arc4_stream *as)
103 u_int8_t rnd[128 - sizeof(struct timeval) - sizeof(pid_t)];
106 gettimeofday(&rdat.tv, NULL);
108 fd = _open(RANDOMDEV, O_RDONLY, 0);
110 (void) _read(fd, rdat.rnd, sizeof(rdat.rnd));
113 /* fd < 0? Ah, what the heck. We'll just take whatever was on the
116 arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
119 * Throw away the first N bytes of output, as suggested in the
120 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
121 * by Fluher, Mantin, and Shamir. N=1024 is based on
122 * suggestions in the paper "(Not So) Random Shuffles of RC4"
125 for (n = 0; n < 1024; n++)
126 (void) arc4_getbyte(as);
130 static inline u_int8_t
131 arc4_getbyte(struct arc4_stream *as)
137 as->j = (as->j + si);
142 return (as->s[(si + sj) & 0xff]);
145 static inline u_int32_t
146 arc4_getword(struct arc4_stream *as)
150 val = arc4_getbyte(as) << 24;
151 val |= arc4_getbyte(as) << 16;
152 val |= arc4_getbyte(as) << 8;
153 val |= arc4_getbyte(as);
159 arc4_check_init(void)
161 if (!rs_initialized) {
168 arc4_check_stir(void)
170 if (!rs_stired || --arc4_count == 0) {
177 arc4random_stir(void)
186 arc4random_addrandom(u_char *dat, int datlen)
191 arc4_addrandom(&rs, dat, datlen);
203 rnd = arc4_getword(&rs);
210 /*-------- Test code for i386 --------*/
212 #include <machine/pctr.h>
214 main(int argc, char **argv)
216 const int iter = 1000000;
221 for (i = 0; i < iter; i++)
226 printf("%qd cycles\n", v);