]>
Commit | Line | Data |
---|---|---|
3c0ef626 | 1 | /* |
cdd66111 | 2 | * Copyright (c) 1999,2000,2004 Damien Miller <djm@mindrot.org> |
3c0ef626 | 3 | * |
cdd66111 | 4 | * Permission to use, copy, modify, and distribute this software for any |
5 | * purpose with or without fee is hereby granted, provided that the above | |
6 | * copyright notice and this permission notice appear in all copies. | |
3c0ef626 | 7 | * |
cdd66111 | 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
3c0ef626 | 15 | */ |
16 | ||
17 | #include "includes.h" | |
3c0ef626 | 18 | |
9108f8d9 | 19 | #include <sys/types.h> |
20 | ||
21 | #include <string.h> | |
22616013 | 22 | #include <stdlib.h> |
9108f8d9 | 23 | #include <stdarg.h> |
24 | ||
25 | #include "log.h" | |
3c0ef626 | 26 | |
27 | #ifndef HAVE_ARC4RANDOM | |
28 | ||
29 | #include <openssl/rand.h> | |
30 | #include <openssl/rc4.h> | |
31 | #include <openssl/err.h> | |
32 | ||
33 | /* Size of key to use */ | |
34 | #define SEED_SIZE 20 | |
35 | ||
36 | /* Number of bytes to reseed after */ | |
37 | #define REKEY_BYTES (1 << 24) | |
38 | ||
39 | static int rc4_ready = 0; | |
40 | static RC4_KEY rc4; | |
41 | ||
996d5e62 | 42 | unsigned int |
43 | arc4random(void) | |
3c0ef626 | 44 | { |
45 | unsigned int r = 0; | |
46 | static int first_time = 1; | |
47 | ||
48 | if (rc4_ready <= 0) { | |
700318f3 | 49 | if (first_time) |
3c0ef626 | 50 | seed_rng(); |
51 | first_time = 0; | |
52 | arc4random_stir(); | |
53 | } | |
54 | ||
55 | RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); | |
56 | ||
57 | rc4_ready -= sizeof(r); | |
58 | ||
59 | return(r); | |
60 | } | |
61 | ||
996d5e62 | 62 | void |
63 | arc4random_stir(void) | |
3c0ef626 | 64 | { |
65 | unsigned char rand_buf[SEED_SIZE]; | |
c9f39d2c | 66 | int i; |
3c0ef626 | 67 | |
68 | memset(&rc4, 0, sizeof(rc4)); | |
6a9b3198 | 69 | if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) |
3c0ef626 | 70 | fatal("Couldn't obtain random bytes (error %ld)", |
71 | ERR_get_error()); | |
72 | RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); | |
c9f39d2c | 73 | |
74 | /* | |
75 | * Discard early keystream, as per recommendations in: | |
76 | * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps | |
77 | */ | |
78 | for(i = 0; i <= 256; i += sizeof(rand_buf)) | |
79 | RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf); | |
80 | ||
3c0ef626 | 81 | memset(rand_buf, 0, sizeof(rand_buf)); |
82 | ||
83 | rc4_ready = REKEY_BYTES; | |
84 | } | |
85 | #endif /* !HAVE_ARC4RANDOM */ | |
22616013 | 86 | |
87 | #ifndef ARC4RANDOM_BUF | |
88 | void | |
89 | arc4random_buf(void *_buf, size_t n) | |
90 | { | |
91 | size_t i; | |
92 | u_int32_t r = 0; | |
93 | char *buf = (char *)_buf; | |
94 | ||
95 | for (i = 0; i < n; i++) { | |
96 | if (i % 4 == 0) | |
97 | r = arc4random(); | |
98 | buf[i] = r & 0xff; | |
99 | r >>= 8; | |
100 | } | |
101 | i = r = 0; | |
102 | } | |
103 | #endif /* !HAVE_ARC4RANDOM_BUF */ | |
104 | ||
105 | #ifndef ARC4RANDOM_UNIFORM | |
106 | /* | |
107 | * Calculate a uniformly distributed random number less than upper_bound | |
108 | * avoiding "modulo bias". | |
109 | * | |
110 | * Uniformity is achieved by generating new random numbers until the one | |
111 | * returned is outside the range [0, 2**32 % upper_bound). This | |
112 | * guarantees the selected random number will be inside | |
113 | * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) | |
114 | * after reduction modulo upper_bound. | |
115 | */ | |
116 | u_int32_t | |
117 | arc4random_uniform(u_int32_t upper_bound) | |
118 | { | |
119 | u_int32_t r, min; | |
120 | ||
121 | if (upper_bound < 2) | |
122 | return 0; | |
123 | ||
124 | #if (ULONG_MAX > 0xffffffffUL) | |
125 | min = 0x100000000UL % upper_bound; | |
126 | #else | |
127 | /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ | |
128 | if (upper_bound > 0x80000000) | |
129 | min = 1 + ~upper_bound; /* 2**32 - upper_bound */ | |
130 | else { | |
131 | /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ | |
132 | min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound; | |
133 | } | |
134 | #endif | |
135 | ||
136 | /* | |
137 | * This could theoretically loop forever but each retry has | |
138 | * p > 0.5 (worst case, usually far better) of selecting a | |
139 | * number inside the range we need, so it should rarely need | |
140 | * to re-roll. | |
141 | */ | |
142 | for (;;) { | |
143 | r = arc4random(); | |
144 | if (r >= min) | |
145 | break; | |
146 | } | |
147 | ||
148 | return r % upper_bound; | |
149 | } | |
150 | #endif /* !HAVE_ARC4RANDOM_UNIFORM */ |