mirror of
git://uclibc.org/uClibc.git
synced 2026-01-19 00:08:21 +08:00
7ec85e4716
Add config option to provide arc4random without device access. Signed-off-by: Peter S. Mazinger <ps.m@gmx.net>
216 lines
5.0 KiB
C
216 lines
5.0 KiB
C
/*
|
|
* Copyright (c) 1996, David Mazieres <dm@uun.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
/*
|
|
* Arc4 random number generator for OpenBSD.
|
|
*
|
|
* This code is derived from section 17.1 of Applied Cryptography,
|
|
* second edition, which describes a stream cipher allegedly
|
|
* compatible with RSA Labs "RC4" cipher (the actual description of
|
|
* which is a trade secret). The same algorithm is used as a stream
|
|
* cipher called "arcfour" in Tatu Ylonen's ssh package.
|
|
*
|
|
* Here the stream cipher has been modified always to include entropy
|
|
* when initializing the state. That makes it impossible to
|
|
* regenerate the same random sequence twice, so this can't be used
|
|
* for encryption, but will generate good random numbers.
|
|
*
|
|
* RC4 is a registered trademark of RSA Laboratories.
|
|
*/
|
|
|
|
/* $OpenBSD: arc4random.c,v 1.16 2007/02/12 19:58:47 otto Exp $ */
|
|
|
|
#include <features.h>
|
|
|
|
#include <fcntl.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
|
|
struct arc4_stream {
|
|
u_int8_t i;
|
|
u_int8_t j;
|
|
u_int8_t s[256];
|
|
};
|
|
|
|
static smallint rs_initialized;
|
|
static struct arc4_stream rs;
|
|
static pid_t arc4_stir_pid;
|
|
static int arc4_count;
|
|
|
|
static __inline__ void
|
|
arc4_init(struct arc4_stream *as)
|
|
{
|
|
int n;
|
|
|
|
for (n = 0; n < 256; n++)
|
|
as->s[n] = n;
|
|
as->i = 0;
|
|
as->j = 0;
|
|
}
|
|
|
|
static __inline__ u_int8_t
|
|
arc4_getbyte(struct arc4_stream *as)
|
|
{
|
|
u_int8_t si, sj;
|
|
|
|
as->i = (as->i + 1);
|
|
si = as->s[as->i];
|
|
as->j = (as->j + si);
|
|
sj = as->s[as->j];
|
|
as->s[as->i] = sj;
|
|
as->s[as->j] = si;
|
|
return (as->s[(si + sj) & 0xff]);
|
|
}
|
|
|
|
static __inline__ void
|
|
arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen)
|
|
{
|
|
int n;
|
|
u_int8_t si;
|
|
|
|
as->i--;
|
|
for (n = 0; n < 256; n++) {
|
|
as->i = (as->i + 1);
|
|
si = as->s[as->i];
|
|
as->j = (as->j + si + dat[n % datlen]);
|
|
as->s[as->i] = as->s[as->j];
|
|
as->s[as->j] = si;
|
|
}
|
|
as->j = as->i;
|
|
}
|
|
|
|
static void
|
|
arc4_stir(struct arc4_stream *as)
|
|
{
|
|
int n;
|
|
u_char rnd[128];
|
|
struct timeval tv;
|
|
|
|
#ifndef __ARC4RANDOM_USES_NODEV__
|
|
int fd;
|
|
|
|
fd = open("/dev/urandom", O_RDONLY);
|
|
if (fd != -1) {
|
|
read(fd, rnd, sizeof(rnd));
|
|
close(fd);
|
|
}
|
|
/* Did the pseudo-random device fail? Use gettimeofday(). */
|
|
else
|
|
#endif
|
|
if (gettimeofday(&tv, NULL) != (-1)) {
|
|
|
|
/* Initialize the first element so it's hopefully not '0',
|
|
* to help out the next loop. Tossing in some prime numbers
|
|
* probably can't hurt. */
|
|
rnd[0] = (tv.tv_sec % 10000) * 3 + tv.tv_usec * 7 + \
|
|
(getpid() % 1000) * 13;
|
|
|
|
for (n = 1; n < 127 ; n++) {
|
|
|
|
/* Take advantage of the stack space. Only initialize
|
|
* elements equal to '0'. This will make the rnd[]
|
|
* array much less vulnerable to timing attacks. Here
|
|
* we'll stir getpid() into the value of the previous
|
|
* element. Approximately 1 in 128 elements will still
|
|
* become '0'. */
|
|
|
|
if (rnd[n] == 0) {
|
|
rnd[n] = ((rnd[n - 1] + n) ^ \
|
|
((getpid() % 1000) * 17));
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
/* gettimeofday() failed? Do the same thing as above, but only
|
|
* with getpid(). */
|
|
|
|
rnd[0] = (getpid() % 1000) * 19;
|
|
for (n = 1; n < 127 ; n++) {
|
|
if (rnd[n] == 0) {
|
|
rnd[n] = ((rnd[n - 1] + n) ^ \
|
|
((getpid() % 1000) * 23));
|
|
}
|
|
}
|
|
}
|
|
|
|
arc4_stir_pid = getpid();
|
|
arc4_addrandom(as, rnd, sizeof(rnd));
|
|
|
|
/*
|
|
* Discard early keystream, as per recommendations in:
|
|
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
|
|
*/
|
|
for (n = 0; n < 256; n++)
|
|
(void)arc4_getbyte(as);
|
|
arc4_count = 1600000;
|
|
}
|
|
|
|
#if 0
|
|
static void __arc4random_stir(void);
|
|
/*
|
|
* __arc4_getbyte() is a libc private function intended for use
|
|
* with malloc.
|
|
*/
|
|
u_int8_t
|
|
__arc4_getbyte(void)
|
|
{
|
|
if (--arc4_count == 0 || !rs_initialized)
|
|
__arc4random_stir();
|
|
return arc4_getbyte(&rs);
|
|
}
|
|
#endif
|
|
|
|
static __inline__ u_int32_t
|
|
arc4_getword(struct arc4_stream *as)
|
|
{
|
|
u_int32_t val;
|
|
val = arc4_getbyte(as) << 24;
|
|
val |= arc4_getbyte(as) << 16;
|
|
val |= arc4_getbyte(as) << 8;
|
|
val |= arc4_getbyte(as);
|
|
return val;
|
|
}
|
|
|
|
static void
|
|
__arc4random_stir(void)
|
|
{
|
|
if (!rs_initialized) {
|
|
arc4_init(&rs);
|
|
rs_initialized = 1;
|
|
}
|
|
arc4_stir(&rs);
|
|
}
|
|
strong_alias(__arc4random_stir,arc4random_stir)
|
|
|
|
void
|
|
arc4random_addrandom(u_char *dat, int datlen)
|
|
{
|
|
if (!rs_initialized)
|
|
__arc4random_stir();
|
|
arc4_addrandom(&rs, dat, datlen);
|
|
}
|
|
|
|
u_int32_t
|
|
arc4random(void)
|
|
{
|
|
arc4_count -= 4;
|
|
if (arc4_count <= 0 || !rs_initialized || arc4_stir_pid != getpid())
|
|
__arc4random_stir();
|
|
return arc4_getword(&rs);
|
|
}
|