Submitted By: Robert Connolly (ashes) Date: 2005-10-22 Initial Package Version: 2.3.5 Upstream Status: Not submitted Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/arc4random.c Description: This patch adds the arc4random() and arc4randomII() functions to Glibc, and hooks so mktemp(3) can use arc4randomII(). Also see: http://www.linuxfromscratch.org/hlfs/ http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt diff -Naur glibc-2.3.5.orig/manual/arc4random.3 glibc-2.3.5/manual/arc4random.3 --- glibc-2.3.5.orig/manual/arc4random.3 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.3.5/manual/arc4random.3 2005-10-18 23:27:25.000000000 +0000 @@ -0,0 +1,74 @@ +.TH ARC4RANDOM 3 "February 11, 2005" +.SH NAME +arc4random - arc4 random number generator +.SH SYNOPSIS +.nf +.B #include +.sp +.I u_int32_t +.B arc4random(void); +.sp +.I u_int32_t +.B arc4randomII(void); +.fi +.SH DESCRIPTION +The \fBarc4random()\fP function generates a pseudo-random number using the +ARC4 cipher key stream generator. ARCFOUR uses 8*8 8 bit S-Boxes, and can +be in about (2**1700) states. + +The \fBarc4random()\fP function is seeded automatically from /dev/urandom, +or from sysctl \fBurandom\fP if /dev/urandom is not accessible (chroot), or from +sysctl random.uuid if sysctl \fBurandom\fP is not accessible. \fBgettimeofday(2)\fP +is always included when initializing the state of \fBarc4random()\fP, this makes +it impossible to generate the same random sequence twice. \fBarc4random()\fP +is intended to be safe to use with encryption software to provide entropy. + +The \fBarc4randomII()\fP function is identical to \fBarc4random()\fP except +that \fBarc4randomII()\fP is seeded automatically from /dev/erandom, and +sysctl erandom. \fBarc4randomII()\fP is NOT intended for cryptography, but is +ideal for \fBmktemp(3)\fP, and other functions with a short lifespan. +\fBarc4randomII()\fP and erandom do not consume any kernel entropy. + +Sysctl urandom, and erandom require a modified kernel. See: +http://www.linuxfromscratch.org/hlfs/ + +.SH EXAMPLES +.TP +Return a random number between 0 and 100. +.sp +arc4random() % 100; +.TP +Return any random number. +.sp +arc4random(); +.TP +.nf +Sample program; this will display a number between 0 and 65536. + +#include +#include + +int main(void) { + int random_number; + random_number = arc4random() % 65536; + printf("%d\n", random_number); + return 0; +} +.fi +.SH "SEE ALSO" +.BR random (3), +.BR gettimeofday (2), +.BR mktemp (3) + +.SH HISTORY +An algorithm called RC4 was designed by RSA Data Security, Inc. It was +considered a trade secret, but not trademarked. Because it was a trade +secret, it obviously could not be patented. A clone of this was posted +anonymously to USENET and confirmed to be equivalent by several sources +who had access to the original cipher. Because of the trade secret situation, +RSA Data Security, Inc. can do nothing about the release of the +ARC4 algorithm. Since RC4 used to be a trade secret, the cipher is now +referred to as ARC4 (Another RC4). + +These functions first appeared in OpenBSD 2.1. + diff -Naur glibc-2.3.5.orig/stdlib/Makefile glibc-2.3.5/stdlib/Makefile --- glibc-2.3.5.orig/stdlib/Makefile 2005-02-16 11:23:58.000000000 +0000 +++ glibc-2.3.5/stdlib/Makefile 2005-10-18 23:27:25.000000000 +0000 @@ -27,7 +27,7 @@ routines := \ atof atoi atol atoll \ - abort \ + abort arc4random arc4randomII \ bsearch qsort msort \ getenv putenv setenv secure-getenv \ exit on_exit atexit cxa_atexit cxa_finalize old_atexit \ diff -Naur glibc-2.3.5.orig/stdlib/arc4random.c glibc-2.3.5/stdlib/arc4random.c --- glibc-2.3.5.orig/stdlib/arc4random.c 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.3.5/stdlib/arc4random.c 2005-10-18 23:27:25.000000000 +0000 @@ -0,0 +1,205 @@ +/* + * Arc4 random number generator for OpenBSD. + * Copyright 1996 David Mazieres . + * + * Modification and redistribution in source and binary forms is + * permitted provided that due credit is given to the author and the + * OpenBSD project by leaving this copyright notice intact. + */ + +/* + * This code is derived from section 17.1 of Applied Cryptography, + * second edition, which describes a stream cipher allegedly + * compatible with RSA Labs "RC4" cipher (the actual description of + * which is a trade secret). The same algorithm is used as a stream + * cipher called "arcfour" in Tatu Ylonen's ssh package. + * + * Here the stream cipher has been modified always to include the time + * when initializing the state. That makes it impossible to + * regenerate the same random sequence twice, so this can't be used + * for encryption, but will generate good random numbers. + * + * RC4 is a registered trademark of RSA Laboratories. + */ + +/* + * Modified by Robert Connolly from OpenBSD lib/libc/crypt/arc4random.c v1.11. + * This is arc4random(3) using urandom. + */ + +#include +#include +#include +#include +#include +#include +#include + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +struct arc4_stream { + u_int8_t i; + u_int8_t j; + u_int8_t s[256]; +}; + +static int rs_initialized; +static struct arc4_stream rs; +static pid_t arc4_stir_pid; + +static inline u_int8_t arc4_getbyte(struct arc4_stream *); + +static inline void +arc4_init(struct arc4_stream *as) +{ + int n; + + for (n = 0; n < 256; n++) + as->s[n] = n; + as->i = 0; + as->j = 0; +} + +static inline void +arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen) +{ + int n; + u_int8_t si; + + as->i--; + for (n = 0; n < 256; n++) { + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si + dat[n % datlen]); + as->s[as->i] = as->s[as->j]; + as->s[as->j] = si; + } + as->j = as->i; +} + +static void +arc4_stir(struct arc4_stream *as) +{ + int n, fd; + struct { + struct timeval tv; + u_int rnd[(128 - sizeof(struct timeval)) / sizeof(u_int)]; + } rdat; + + gettimeofday(&rdat.tv, NULL); + + /* /dev/urandom is a multithread interface, sysctl is not. */ + /* Try to use /dev/urandom before sysctl. */ + fd = open("/dev/urandom", O_RDONLY); + if (fd != -1) { + read(fd, rdat.rnd, sizeof(rdat.rnd)); + close(fd); + } + +#if defined(SYSCTL_URANDOM) + else { + /* /dev/urandom failed? Maybe we're in a chroot. */ + int mib[]={CTL_KERN, KERN_RANDOM, RANDOM_URANDOM}; + u_int i; + size_t len; + + for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i ++) { + len = sizeof(u_int); + if (sysctl(mib, 3, &rdat.rnd[i], &len, NULL, 0) == -1) + break; + } + if (i < sizeof(rdat.rnd) / 4) { + /* Sysctl urandom failed? Maybe we're running a vanilla kernel. */ + mib[2] = RANDOM_UUID; + for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i ++) { + len = sizeof(u_int); + if (sysctl(mib, 3, &rdat.rnd[i], &len, NULL, 0) == -1) + break; + } + } + } +#endif + + arc4_stir_pid = getpid(); + /* + * Time to give up. If no entropy could be found then we will just + * use gettimeofday. + */ + arc4_addrandom(as, (void *)&rdat, sizeof(rdat)); + + /* + * Discard early keystream, as per recommendations in: + * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps + * We discard 256 words. A long word is 4 bytes. + */ + for (n = 0; n < 256 * 4; n ++) + arc4_getbyte(as); +} + +static inline u_int8_t +arc4_getbyte(struct arc4_stream *as) +{ + u_int8_t si, sj; + + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si); + sj = as->s[as->j]; + as->s[as->i] = sj; + as->s[as->j] = si; + return (as->s[(si + sj) & 0xff]); +} + +static inline u_int32_t +arc4_getword(struct arc4_stream *as) +{ + u_int32_t val; + val = arc4_getbyte(as) << 24; + val |= arc4_getbyte(as) << 16; + val |= arc4_getbyte(as) << 8; + val |= arc4_getbyte(as); + return val; +} + +void +arc4random_stir(void) +{ + if (!rs_initialized) { + arc4_init(&rs); + rs_initialized = 1; + } + arc4_stir(&rs); +} + +void +arc4random_addrandom(u_char *dat, int datlen) +{ + if (!rs_initialized) + arc4random_stir(); + arc4_addrandom(&rs, dat, datlen); +} + +u_int32_t +arc4random(void) +{ + if (!rs_initialized || arc4_stir_pid != getpid()) + arc4random_stir(); + return arc4_getword(&rs); +} + +#if 0 +/*-------- Test code --------*/ +#include +#include + +int main(void) { + int random_number; + random_number = arc4random() % 65536; + printf("A random number between 0 and 65536 is %d\n", random_number); + return 0; +} +#endif diff -Naur glibc-2.3.5.orig/stdlib/arc4randomII.c glibc-2.3.5/stdlib/arc4randomII.c --- glibc-2.3.5.orig/stdlib/arc4randomII.c 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.3.5/stdlib/arc4randomII.c 2005-10-18 23:27:25.000000000 +0000 @@ -0,0 +1,196 @@ +/* + * Arc4 random number generator for OpenBSD. + * Copyright 1996 David Mazieres . + * + * Modification and redistribution in source and binary forms is + * permitted provided that due credit is given to the author and the + * OpenBSD project by leaving this copyright notice intact. + */ + +/* + * This code is derived from section 17.1 of Applied Cryptography, + * second edition, which describes a stream cipher allegedly + * compatible with RSA Labs "RC4" cipher (the actual description of + * which is a trade secret). The same algorithm is used as a stream + * cipher called "arcfour" in Tatu Ylonen's ssh package. + * + * Here the stream cipher has been modified always to include the time + * when initializing the state. That makes it impossible to + * regenerate the same random sequence twice, so this can't be used + * for encryption, but will generate good random numbers. + * + * RC4 is a registered trademark of RSA Laboratories. + */ + +/* + * Modified by Robert Connolly from OpenBSD lib/libc/crypt/arc4random.c v1.11. + * This is arc4randomII(3) using erandom. + */ + +#include +#include +#include +#include +#include +#include +#include + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +struct arc4_streamII { + u_int8_t i; + u_int8_t j; + u_int8_t s[256]; +}; + +static int rs_initializedII; +static struct arc4_streamII rs; +static pid_t arc4_stir_pidII; + +static inline u_int8_t arc4_getbyteII(struct arc4_streamII *); + +static inline void +arc4_initII(struct arc4_streamII *as) +{ + int n; + + for (n = 0; n < 256; n++) + as->s[n] = n; + as->i = 0; + as->j = 0; +} + +static inline void +arc4_addrandomII(struct arc4_streamII *as, u_char *dat, int datlen) +{ + int n; + u_int8_t si; + + as->i--; + for (n = 0; n < 256; n++) { + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si + dat[n % datlen]); + as->s[as->i] = as->s[as->j]; + as->s[as->j] = si; + } + as->j = as->i; +} + +static void +arc4_stirII(struct arc4_streamII *as) +{ + int n, fd; + struct { + struct timeval tv; + u_int rnd[(128 - sizeof(struct timeval)) / sizeof(u_int)]; + } rdat; + + gettimeofday(&rdat.tv, NULL); + + /* /dev/urandom is a multithread interface, sysctl is not. */ + /* Try to use /dev/urandom before sysctl. */ + fd = open("/dev/erandom", O_RDONLY); + if (fd != -1) { + read(fd, rdat.rnd, sizeof(rdat.rnd)); + close(fd); + } + +#if defined(SYSCTL_ERANDOM) + else { + /* /dev/urandom failed? Maybe we're in a chroot. */ + int mib[]={CTL_KERN, KERN_RANDOM, RANDOM_ERANDOM}; + u_int i; + size_t len; + + for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i++) { + len = sizeof(u_int); + if (sysctl(mib, 3, &rdat.rnd[i], &len, NULL, 0) == -1) + break; + } + } +#endif + + arc4_stir_pidII = getpid(); + /* + * Time to give up. If no entropy could be found then we will just + * use gettimeofday. + */ + arc4_addrandomII(as, (void *)&rdat, sizeof(rdat)); + + /* + * Discard early keystream, as per recommendations in: + * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps + * We discard 256 words. A long word is 4 bytes. + */ + for (n = 0; n < 256 * 4; n ++) + arc4_getbyteII(as); +} + +static inline u_int8_t +arc4_getbyteII(struct arc4_streamII *as) +{ + u_int8_t si, sj; + + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si); + sj = as->s[as->j]; + as->s[as->i] = sj; + as->s[as->j] = si; + return (as->s[(si + sj) & 0xff]); +} + +static inline u_int32_t +arc4_getwordII(struct arc4_streamII *as) +{ + u_int32_t val; + val = arc4_getbyteII(as) << 24; + val |= arc4_getbyteII(as) << 16; + val |= arc4_getbyteII(as) << 8; + val |= arc4_getbyteII(as); + return val; +} + +void +arc4random_stirII(void) +{ + if (!rs_initializedII) { + arc4_initII(&rs); + rs_initializedII = 1; + } + arc4_stirII(&rs); +} + +void +arc4random_addrandomII(u_char *dat, int datlen) +{ + if (!rs_initializedII) + arc4random_stirII(); + arc4_addrandomII(&rs, dat, datlen); +} + +u_int32_t +arc4randomII(void) +{ + if (!rs_initializedII || arc4_stir_pidII != getpid()) + arc4random_stirII(); + return arc4_getwordII(&rs); +} + +#if 0 +/*-------- Test code --------*/ +#include +#include + +int main(void) { + int random_number; + random_number = arc4randomII() % 65536; + printf("A random number between 0 and 65536 is %d\n", random_number); + return 0; +} +#endif diff -Naur glibc-2.3.5.orig/stdlib/stdlib.h glibc-2.3.5/stdlib/stdlib.h --- glibc-2.3.5.orig/stdlib/stdlib.h 2004-12-01 19:54:34.000000000 +0000 +++ glibc-2.3.5/stdlib/stdlib.h 2005-10-18 23:28:10.000000000 +0000 @@ -572,6 +572,15 @@ extern int lcong48_r (unsigned short int __param[7], struct drand48_data *__buffer) __THROW __nonnull ((1, 2)); + +#define LIBC_HAS_ARC4RANDOM +u_int32_t arc4random(void); +void arc4random_stir(void); +void arc4random_addrandom(unsigned char *, int); +u_int32_t arc4randomII(void); +void arc4random_stirII(void); +void arc4random_addrandomII(unsigned char *, int); + # endif /* Use misc. */ #endif /* Use SVID or X/Open. */ diff -Naur glibc-2.3.5.orig/sysdeps/posix/tempname.c glibc-2.3.5/sysdeps/posix/tempname.c --- glibc-2.3.5.orig/sysdeps/posix/tempname.c 2001-11-27 03:35:06.000000000 +0000 +++ glibc-2.3.5/sysdeps/posix/tempname.c 2005-10-18 23:27:25.000000000 +0000 @@ -258,6 +258,10 @@ /* This is where the Xs start. */ XXXXXX = &tmpl[len - 6]; +/* Get real random data. */ +#if defined(LIBC_HAS_ARC4RANDOM) + random_time_bits = arc4randomII(); +#else /* Get some more or less random data. */ #ifdef RANDOM_BITS RANDOM_BITS (random_time_bits); @@ -272,7 +276,12 @@ random_time_bits = time (NULL); # endif #endif +#endif +#if defined(LIBC_HAS_ARC4RANDOM) + value += random_time_bits ^ arc4randomII(); +#else value += random_time_bits ^ __getpid (); +#endif for (count = 0; count < attempts; value += 7777, ++count) {