16 Commits

Author SHA1 Message Date
Andrey A. Chernov
2b50ce65be Attempt to mitigate poor initialization of arc4 by one-shot
reinitialization from yarrow right after good entropy is harvested.

Approved by:    secteam (delphij)
MFC after:      1 week
2013-04-19 00:30:52 +00:00
Andrey A. Chernov
b834665cd5 Return arc4_i = arc4_j = 0; line from previous backing out since
just found it in OpenBSD, see their sys/crypto/arc4.c, function
rc4_keysetup, line ctx->x = ctx->y = 0;

Obtained from:  OpenBSD
2008-07-26 16:42:45 +00:00
Andrey A. Chernov
fff6495ea6 Per rwatson's request:
"If you don't get a review within a day or two, I would firmly recommend
backing out the changes"

back out all my changes as unreviewed by secteam@ yet.
2008-07-25 15:53:32 +00:00
Andrey A. Chernov
d16863efa6 1) Initialize arc4_i and arc4_j to 0 after key mixing as recommended in
draft-kaukonen-cipher-arcfour-03.txt (3.1.5)

2) Drop first 768 bytes as standard RC4-drop(768)
2008-07-22 16:16:51 +00:00
Mike Silbersack
2f823fa326 Lock down arc4random so it can be safely called w/o Giant.
Minor code reorganization was required, but the only functional
change was that the first 1024 bytes of output are thrown out
after each reseed, rather than just the initial seed.
2003-08-15 06:34:47 +00:00
David E. O'Brien
ab0de15baf Use __FBSDID(). 2003-06-11 05:37:42 +00:00
Poul-Henning Kamp
2c38619b52 Slight overhaul of arc4random() and friends.
One bug fixed:  Use getmicrouptime() to trigger reseeds so that we
cannot be tricked by a clock being stepped backwards.

Express parameters in natural units and with natural names.

Don't use struct timeval more than we need to.

Various stylistic and readability polishing.

Introduce arc4rand(void *ptr, u_int len, int reseed) function which
returns a stream of pseudo-random bytes, observing the automatic
reseed criteria as well as allowing forced reseeds.

Rewrite arc4random() in terms of arc4rand().

Sponsored by:   DARPA & NAI Labs.
2002-10-11 13:13:08 +00:00
Bruce Evans
60f8e3af92 Fixed some typos, verboseness and misformatting in comments. 2001-08-30 12:30:58 +00:00
Mike Silbersack
3a7810bc39 Minor improvements to arc4random():
- Decrease reseeding interval from every 64 to every 16384 runs
  to reduce entropy usage.
- Add time based reseeding.  (Every 5 minutes.)
- Throw away the first 256 words of output as suggested in
  "Weaknesses in the Key Scheduling Algorithm of RC4."

Reviewed by: Mark Murray
MFC After: jkh says ok
2001-08-30 01:15:25 +00:00
Mark Murray
4cb1e53914 Recouple arc4random(9) to the entropy device. This works whether the
entropy device is loaded or not.

If the entropy device is NOT loaded, the the quality of perturbations
supplied by this will suffer.
2000-12-02 16:23:54 +00:00
John Baldwin
e2059d0bfb Back out previous revision now that sys/random.h is properly fixed. 2000-09-11 19:34:04 +00:00
John Baldwin
ebbb6afce3 Add #include's of sys/proc.h and sys/param.h to silence a warning. 2000-09-11 05:51:58 +00:00
Mark Murray
bf3191e9fa Comment out unavailable call. This needs to be revisited when the entropy
device is complete.
Reviewed by:	dfr
2000-06-25 10:15:58 +00:00
Dan Moschuk
e6082d1936 In the extremely miniscule chance that read_random returns <= 0, don't try
and use that return code as a modulus (panics are bad, mmmkay?)
1999-11-29 19:23:35 +00:00
Dan Moschuk
d65b167028 Address the concerns of the ``randomness'' of the initial PRNG. Now, we
use bits from /dev/random to stir the S-box.  Also add an internal counter to
keep the S-box stirred on a regular basis.

Reviewed by: msmith
1999-11-28 23:39:49 +00:00
Dan Moschuk
ee3fd60126 Introduce OpenBSD-like Random PIDs. Controlled by a sysctl knob
(kern.randompid), which is currently defaulted off.  Use ARC4 (RC4) for our
random number generation, which will not get me executed for violating
crypto laws; a Good Thing(tm).

Reviewed and Approved by: bde, imp
1999-11-28 17:51:09 +00:00