static void
stir_finish(uint8_t av)
{
size_t n;
uint8_t tb[16];
arc4_stir_pid = getpid();
/*
* Discard early keystream, as per recommendations in:
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
* "(Not So) Random Shuffles of RC4" by Ilya Mironov says to
* drop at least 256 * 2 bytes, with 256 * 12 being suggested.
* We also discard a randomly fuzzed amount.
*/
n = 256 * 12 + (arc4_getbyte() & 0x0FU) + (av & 0xF0U);
av &= 0x0FU;
while (n--)
arc4_getbyte();
while (++n < sizeof(tb))
tb[n] = arc4_getbyte();
if (arc4_writeback(tb, sizeof(tb), 0))
arc4_getbyte();
while (av--)
arc4_getbyte();
arc4_count = 1600000;
}
static inline u_int32_t arc4_getword(void)
{
u_int32_t val;
val = arc4_getbyte() << 24;
val |= arc4_getbyte() << 16;
val |= arc4_getbyte() << 8;
val |= arc4_getbyte();
return val;
}
static __inline__ u_int32_t
arc4_getword(struct arc4_stream *as)
{
u_int32_t val;
val = arc4_getbyte(as) << 24;
val |= arc4_getbyte(as) << 16;
val |= arc4_getbyte(as) << 8;
val |= arc4_getbyte(as);
return val;
}
static uint32_t
arc4_getword(void)
{
uint32_t val;
val = (uint32_t)arc4_getbyte() << 24;
val |= (uint32_t)arc4_getbyte() << 16;
val |= (uint32_t)arc4_getbyte() << 8;
val |= (uint32_t)arc4_getbyte();
return (val);
}
static _HB_INLINE_ HB_U32 arc4_getword( void )
{
HB_U32 val;
val = arc4_getbyte() << 24;
val |= arc4_getbyte() << 16;
val |= arc4_getbyte() << 8;
val |= arc4_getbyte();
return val;
}
static inline unsigned int
arc4_getword(struct arc4_stream *as)
{
unsigned int val;
val = arc4_getbyte(as) << 24;
val |= arc4_getbyte(as) << 16;
val |= arc4_getbyte(as) << 8;
val |= arc4_getbyte(as);
return (val);
}
static inline unsigned int
arc4_getword(void)
{
unsigned int val;
val = arc4_getbyte() << 24;
val |= arc4_getbyte() << 16;
val |= arc4_getbyte() << 8;
val |= arc4_getbyte();
return val;
}
int
break_outguess(struct ogobj *og, struct arc4_stream *as, iterator *it,
char **pbuf, int *pbuflen)
{
u_char state[4];
static u_char buf[512];
struct arc4_stream tas = *as;
int length, seed, need;
int bits, i, n;
state[0] = steg_retrbyte(og->coeff, 8, it) ^ arc4_getbyte(as);
state[1] = steg_retrbyte(og->coeff, 8, it) ^ arc4_getbyte(as);
state[2] = steg_retrbyte(og->coeff, 8, it) ^ arc4_getbyte(as);
state[3] = steg_retrbyte(og->coeff, 8, it) ^ arc4_getbyte(as);
seed = (state[1] << 8) | state[0];
length = (state[3] << 8) | state[2];
if (seed > max_seed || length * 8 >= og->bits/2 || length < min_len)
return (0);
iterator_seed(it, seed);
bits = MIN(og->bits, sizeof(og->coeff) * 8);
n = 0;
while (iterator_current(it) < bits && length > 0 && n < sizeof(buf)) {
iterator_adapt(it, og->bits, length);
buf[n++] = steg_retrbyte(og->coeff, 8, it);
length--;
}
/* For testing the randomness, we need some extra information */
need = MIN(min_len, sizeof(buf));
if (n < need || !is_random(buf, n))
return (0);
/* Plaintext tests? */
for (i = 0; i < n; i++)
buf[i] ^= arc4_getbyte(&tas);
if (file_process(buf, n) == 0)
return (0);
*pbuf = buf;
*pbuflen = n;
return (1);
}
static void arc4_stir(void)
{
int i, fd;
union {
uint32_t tsc;
u_int rnd[128 / sizeof(u_int)];
} rdat;
int n;
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
/*
* Get current performance monitor ticks.
*/
rdat.tsc = 0;
#if 0
__asm__ __volatile__("mrc p15, 0, %0, c9, c13, 0":"=r"(rdat.tsc));
#endif
arc4_addrandom((void *) &rdat, sizeof(rdat));
/*
* Discard early keystream, as per recommendations in:
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
*/
for (i = 0; i < 256; i++)
(void) arc4_getbyte();
arc4_count = 1600000;
}
static void
arc4_stir(struct arc4_stream *as)
{
int fd, n;
struct {
struct timeval tv;
pid_t pid;
unsigned char rnd[128 - sizeof(struct timeval) - sizeof(pid_t)];
} rdat;
gettimeofday(&rdat.tv, NULL);
rdat.pid = getpid();
fd = open(RANDOMDEV, O_RDONLY, 0);
if (fd >= 0) {
n = read(fd, rdat.rnd, sizeof(rdat.rnd));
close(fd);
}
/* fd < 0? Ah, what the heck. We'll just take whatever was on the
* stack... */
arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
/*
* Throw away the first N bytes of output, as suggested in the
* paper "Weaknesses in the Key Scheduling Algorithm of RC4"
* by Fluher, Mantin, and Shamir. N=1024 is based on
* suggestions in the paper "(Not So) Random Shuffles of RC4"
* by Ilya Mironov.
*/
for (n = 0; n < 1024; n++)
(void) arc4_getbyte(as);
arc4_count = 400000;
}
/*
* __arc4_getbyte() is a libc private function intended for use
* with malloc.
*/
u_int8_t
__arc4_getbyte(void)
{
if (--arc4_count == 0 || !rs_initialized)
__arc4random_stir();
return arc4_getbyte(&rs);
}
static void
arc4_stir(void)
{
int i, mib[2];
size_t len;
u_char rnd[128];
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
mib[0] = CTL_KERN;
mib[1] = KERN_ARND;
len = sizeof(rnd);
sysctl(mib, 2, rnd, &len, NULL, 0);
arc4_addrandom(rnd, sizeof(rnd));
/*
* Discard early keystream, as per recommendations in:
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
*/
for (i = 0; i < 256; i++)
(void)arc4_getbyte();
arc4_count = 1600000;
}
static void
arc4_stir(void)
{
int i;
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
arc4_seed();
/*
* Discard early keystream, as per recommendations in
* "Weaknesses in the Key Scheduling Algorithm of RC4" by
* Scott Fluhrer, Itsik Mantin, and Adi Shamir.
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
*
* Ilya Mironov's "(Not So) Random Shuffles of RC4" suggests that
* we drop at least 2*256 bytes, with 12*256 as a conservative
* value.
*
* RFC4345 says to drop 6*256.
*
* At least some versions of this code drop 4*256, in a mistaken
* belief that "words" in the Fluhrer/Mantin/Shamir paper refers
* to processor words.
*
* We add another sect to the cargo cult, and choose 12*256.
*/
for (i = 0; i < 12*256; i++)
(void)arc4_getbyte();
arc4_count = BYTES_BEFORE_RESEED;
}
static void
arc4_stir(struct arc4_stream *as)
{
int fd;
struct {
struct timeval tv;
unsigned int rnd[(128 - sizeof(struct timeval)) /
sizeof(unsigned int)];
} rdat;
int n;
gettimeofday(&rdat.tv, NULL);
fd = open("/dev/urandom", O_RDONLY);
if (fd != -1) {
n = read(fd, rdat.rnd, sizeof(rdat.rnd));
close(fd);
}
/* fd < 0? Ah, what the heck. We'll just take
* whatever was on the stack... */
arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
/*
* Throw away the first N words of output, as suggested in the
* paper "Weaknesses in the Key Scheduling Algorithm of RC4"
* by Fluher, Mantin, and Shamir. (N = 256 in our case.)
*/
for (n = 0; n < 256 * 4; n++)
arc4_getbyte(as);
arc4_count = 1600000;
}
void
arc4_init( void )
{
int i, fd;
unsigned char j, si, dat[128];
if ((fd = open( "/dev/urandom", O_RDONLY )) < 0 && (fd = open( "/dev/random", O_RDONLY )) < 0) {
error( "Fatal: no random number source available.\n" );
exit( 3 );
}
if (read( fd, dat, 128 ) != 128) {
error( "Fatal: cannot read random number source.\n" );
exit( 3 );
}
close( fd );
for (i = 0; i < 256; i++)
rs.s[i] = i;
for (i = j = 0; i < 256; i++) {
si = rs.s[i];
j += si + dat[i & 127];
rs.s[i] = rs.s[j];
rs.s[j] = si;
}
rs.i = rs.j = 0;
for (i = 0; i < 256; i++)
arc4_getbyte();
}
void
arc4random_buf(void *_buf, size_t n)
{
uint8_t *buf = (uint8_t *)_buf;
if (!rs_initialized || arc4_stir_pid != getpid())
arc4random_stir();
buf[0] = arc4_getbyte() % 3;
while (buf[0]--)
(void)arc4_getbyte();
while (n--) {
if (--arc4_count <= 0)
arc4_stir();
buf[n] = arc4_getbyte();
}
}
static void
arc4_stir(void)
{
#if 1 /* BIONIC-BEGIN */
int i, fd;
union {
struct timeval tv;
u_int rnd[128 / sizeof(u_int)];
} rdat;
int n;
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
fd = open("/dev/urandom", O_RDONLY);
if (fd != -1) {
read(fd, rdat.rnd, sizeof(rdat.rnd));
close(fd);
}
else
{
/* fd < 0 ? Ah, what the heck. We'll just take
* whatever was on the stack. just add a little more
* time-based randomness though
*/
gettimeofday(&rdat.tv, NULL);
}
arc4_stir_pid = getpid();
arc4_addrandom((void *) &rdat, sizeof(rdat));
#else /* BIONIC-END */
int i, mib[2];
size_t len;
u_char rnd[128];
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
mib[0] = CTL_KERN;
mib[1] = KERN_ARND;
len = sizeof(rnd);
sysctl(mib, 2, rnd, &len, NULL, 0);
arc4_stir_pid = getpid();
arc4_addrandom(rnd, sizeof(rnd));
#endif
/*
* Discard early keystream, as per recommendations in:
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
*/
for (i = 0; i < 256; i++)
(void)arc4_getbyte();
arc4_count = 1600000;
}
uint32_t
arc4random_pushb(const void *src, size_t len)
{
size_t rlen;
union {
uint8_t buf[256];
struct {
struct timeval tv;
const void *sp, *dp;
size_t sz;
uint32_t vu;
} s;
uint32_t xbuf;
} idat;
uint32_t res = 1;
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
idat.s.sp = &idat;
idat.s.dp = src;
idat.s.sz = len;
idat.s.vu = arc4_getword();
gettimeofday(&idat.s.tv, NULL);
rlen = MAX(sizeof(idat.s), len);
while (rlen--)
idat.buf[rlen % sizeof(idat.buf)] ^=
((const uint8_t *)src)[rlen % len];
rlen = MIN(sizeof(idat), MAX(sizeof(idat.s), len));
if (arc4_writeback((void *)&idat, rlen, 1))
res = 0;
arc4_addrandom((void *)&idat, rlen);
rlen = arc4_getbyte() & 1;
if (res)
res = idat.xbuf;
else
/* we got entropy from the kernel, so consider us stirred */
stir_finish(idat.buf[5]);
if (rlen)
(void)arc4_getbyte();
return (res ^ arc4_getword());
}
u_int8_t __arc4_getbyte(void)
{
u_int8_t val;
if (--arc4_count == 0 || !rs_initialized)
arc4_stir();
val = arc4_getbyte();
return val;
}
void arc4random_buf(void *_buf, size_t n)
{
u_char *buf = (u_char *) _buf;
if (!rs_initialized)
arc4_stir();
while (n--) {
if (--arc4_count <= 0)
arc4_stir();
buf[n] = arc4_getbyte();
}
}
void
arc4random_buf(void *_buf, size_t n)
{
u_char *buf = (u_char *)_buf;
_ARC4_LOCK();
arc4_stir_if_needed();
while (n--) {
if (--arc4_count <= 0)
arc4_stir();
buf[n] = arc4_getbyte();
}
_ARC4_UNLOCK();
}
ARC4RANDOM_EXPORT void
arc4random_buf(void *_buf, size_t n)
{
unsigned char *buf = _buf;
_ARC4_LOCK();
arc4_stir_if_needed();
while (n--) {
if (--arc4_count <= 0)
arc4_stir();
buf[n] = arc4_getbyte();
}
_ARC4_UNLOCK();
}
void
arc4random_buf(void *_buf, size_t n)
{
u_char *buf = (u_char *)_buf;
_ARC4_LOCK();
if (!rs_initialized || arc4_stir_pid != getpid())
arc4_stir();
while (n--) {
if (--arc4_count <= 0)
arc4_stir();
buf[n] = arc4_getbyte();
}
_ARC4_UNLOCK();
}
void
arc4random_buf(void *_buf, size_t n)
{
u_char *buf = (u_char *)_buf;
THREAD_LOCK();
arc4_check_init();
while (n--) {
arc4_check_stir();
buf[n] = arc4_getbyte();
arc4_count--;
}
THREAD_UNLOCK();
}
/*
* Calculate a uniformly distributed random number less than
* upper_bound avoiding "modulo bias".
*
* Uniformity is achieved by generating new random numbers
* until the one returned is outside the range
* [0, 2^32 % upper_bound[. This guarantees the selected
* random number will be inside the range
* [2^32 % upper_bound, 2^32[ which maps back to
* [0, upper_bound[ after reduction modulo upper_bound.
*/
uint32_t
arc4random_uniform(uint32_t upper_bound)
{
uint32_t r, min;
if (upper_bound < 2)
return (0);
#if defined(ULONG_MAX) && (ULONG_MAX > 0xFFFFFFFFUL)
min = 0x100000000UL % upper_bound;
#else
/* calculate (2^32 % upper_bound) avoiding 64-bit math */
if (upper_bound > 0x80000000U)
/* 2^32 - upper_bound (only one "value area") */
min = 1 + ~upper_bound;
else
/* ((2^32 - x) % x) == (2^32 % x) when x <= 2^31 */
min = (0xFFFFFFFFU - upper_bound + 1) % upper_bound;
#endif
/*
* This could theoretically loop forever but each retry has
* p > 0.5 (worst case, usually far better) of selecting a
* number inside the range we need, so it should rarely need
* to re-roll (at all).
*/
arc4_count -= 4;
if (!rs_initialized || arc4_stir_pid != getpid() || arc4_count <= 0)
arc4random_stir();
if (arc4_getbyte() & 1)
(void)arc4_getbyte();
do {
r = arc4_getword();
} while (r < min);
return (r % upper_bound);
}
static void
arc4_stir(struct arc4_stream *as)
{
int fd;
struct {
struct timeval tv;
uint rnd[(128 - sizeof(struct timeval)) / sizeof(uint)];
} rdat;
int n;
gettimeofday(&rdat.tv, NULL);
fd = open("/dev/urandom", O_RDONLY);
if (fd != -1) {
read(fd, rdat.rnd, sizeof(rdat.rnd));
close(fd);
}
#ifdef __ARC4RANDOM_USE_ERANDOM__
else {
int mib[3];
uint i;
size_t len;
/* Device could not be opened, we might be chrooted, take
* randomness from sysctl. */
mib[0] = CTL_KERN;
mib[1] = KERN_RANDOM;
mib[2] = RANDOM_ERANDOM;
for (i = 0; i < sizeof(rdat.rnd) / sizeof(uint); i++) {
len = sizeof(uint);
if (sysctl(mib, 3, &rdat.rnd[i], &len, NULL, 0) == -1)
break;
}
}
#endif
arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
/*
* Throw away the first N words of output, as suggested in the
* paper "Weaknesses in the Key Scheduling Algorithm of RC4"
* by Fluher, Mantin, and Shamir.
* http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
* N = 256 in our case.
*/
for (n = 0; n < 256 * 4; n++)
arc4_getbyte(as);
}
static void
arc4_atexit(void)
{
struct {
pid_t spid;
int cnt;
uint8_t carr[240];
} buf;
int i = 0;
while (i < 240)
buf.carr[i++] = arc4_getbyte();
buf.spid = arc4_stir_pid;
buf.cnt = arc4_count;
arc4_writeback((uint8_t *)&buf, sizeof(buf), 0);
}
void hb_arc4random_buf( void * _buf, HB_SIZE n )
{
HB_U8 * buf = ( HB_U8 * ) _buf;
ARC4_LOCK();
arc4_stir_if_needed();
while( n-- )
{
if( --arc4_count <= 0 )
arc4_stir();
buf[ n ] = arc4_getbyte();
}
ARC4_UNLOCK();
}
void
iterator_init(iterator *iter, struct arc4_stream *as)
{
int i;
char derive[16];
iter->skipmod = INIT_SKIPMOD;
iter->as = *as;
/* Put the PRNG in different state, using key dependant data
* provided by the PRNG itself.
*/
for (i = 0; i < sizeof(derive); i++)
derive[i] = arc4_getbyte(&iter->as);
arc4_addrandom(&iter->as, derive, sizeof(derive));
iter->off = arc4_getword(&iter->as) % iter->skipmod;
}
static void
arc4_stir(void)
{
int done, fd, i;
struct {
struct timeval tv;
pid_t pid;
u_char rnd[KEYSIZE];
} rdat;
if (!rs_initialized) {
arc4_init();
rs_initialized = 1;
}
done = 0;
if (arc4_sysctl((u_char *)&rdat, KEYSIZE) == KEYSIZE)
done = 1;
if (!done) {
fd = _open(RANDOMDEV, O_RDONLY | O_CLOEXEC, 0);
if (fd >= 0) {
if (_read(fd, &rdat, KEYSIZE) == KEYSIZE)
done = 1;
(void)_close(fd);
}
}
if (!done) {
(void)gettimeofday(&rdat.tv, NULL);
rdat.pid = getpid();
/* We'll just take whatever was on the stack too... */
}
arc4_addrandom((u_char *)&rdat, KEYSIZE);
/*
* Discard early keystream, as per recommendations in:
* "(Not So) Random Shuffles of RC4" by Ilya Mironov.
*/
for (i = 0; i < 1024; i++)
(void)arc4_getbyte();
arc4_count = 1600000;
}
