Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 6bb28dfd11
Branches Tags
ydb
/
contrib
/
libs
/
libevent
/
arc4random.c

arc4random.c 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546 
  1. /* Portable arc4random.c based on arc4random.c from OpenBSD.
    2. 

  2.  * Portable version by Chris Davis, adapted for Libevent by Nick Mathewson
    3. 

  3.  * Copyright (c) 2010 Chris Davis, Niels Provos, and Nick Mathewson
    4. 

  4.  * Copyright (c) 2010-2012 Niels Provos and Nick Mathewson
    5. 

  5.  *
    6. 

  6.  * Note that in Libevent, this file isn't compiled directly.  Instead,
    7. 

  7.  * it's included from evutil_rand.c
    8. 

  8.  */
    9. 

  9. 

  10. /*
    11. 

  11.  * Copyright (c) 1996, David Mazieres <dm@uun.org>
    12. 

  12.  * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
    13. 

  13.  *
    14. 

  14.  * Permission to use, copy, modify, and distribute this software for any
    15. 

  15.  * purpose with or without fee is hereby granted, provided that the above
    16. 

  16.  * copyright notice and this permission notice appear in all copies.
    17. 

  17.  *
    18. 

  18.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
    19. 

  19.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
    20. 

  20.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
    21. 

  21.  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
    22. 

  22.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
    23. 

  23.  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
    24. 

  24.  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    25. 

  25.  */
    26. 

  26. 

  27. /*
    28. 

  28.  * Arc4 random number generator for OpenBSD.
    29. 

  29.  *
    30. 

  30.  * This code is derived from section 17.1 of Applied Cryptography,
    31. 

  31.  * second edition, which describes a stream cipher allegedly
    32. 

  32.  * compatible with RSA Labs "RC4" cipher (the actual description of
    33. 

  33.  * which is a trade secret).  The same algorithm is used as a stream
    34. 

  34.  * cipher called "arcfour" in Tatu Ylonen's ssh package.
    35. 

  35.  *
    36. 

  36.  * Here the stream cipher has been modified always to include the time
    37. 

  37.  * when initializing the state.  That makes it impossible to
    38. 

  38.  * regenerate the same random sequence twice, so this can't be used
    39. 

  39.  * for encryption, but will generate good random numbers.
    40. 

  40.  *
    41. 

  41.  * RC4 is a registered trademark of RSA Laboratories.
    42. 

  42.  */
    43. 

  43. 

  44. #ifndef ARC4RANDOM_EXPORT
    45. 

  45. #define ARC4RANDOM_EXPORT
    46. 

  46. #endif
    47. 

  47. 

  48. #ifndef ARC4RANDOM_UINT32
    49. 

  49. #define ARC4RANDOM_UINT32 uint32_t
    50. 

  50. #endif
    51. 

  51. 

  52. #ifndef ARC4RANDOM_NO_INCLUDES
    53. 

  53. #include "evconfig-private.h"
    54. 

  54. #ifdef _WIN32
    55. 

  55. #include <wincrypt.h>
    56. 

  56. #include <process.h>
    57. 

  57. #include <winerror.h>
    58. 

  58. #else
    59. 

  59. #include <fcntl.h>
    60. 

  60. #include <unistd.h>
    61. 

  61. #include <sys/param.h>
    62. 

  62. #include <sys/time.h>
    63. 

  63. #ifdef EVENT__HAVE_SYS_SYSCTL_H
    64. 

  64. #include <sys/sysctl.h>
    65. 

  65. #endif
    66. 

  66. #ifdef EVENT__HAVE_SYS_RANDOM_H
    67. 

  67. #include <sys/random.h>
    68. 

  68. #endif
    69. 

  69. #endif
    70. 

  70. #include <limits.h>
    71. 

  71. #include <stdlib.h>
    72. 

  72. #include <string.h>
    73. 

  73. #endif
    74. 

  74. 

  75. /* Add platform entropy 32 bytes (256 bits) at a time. */
    76. 

  76. #define ADD_ENTROPY 32
    77. 

  77. 

  78. /* Re-seed from the platform RNG after generating this many bytes. */
    79. 

  79. #define BYTES_BEFORE_RESEED 1600000
    80. 

  80. 

  81. struct arc4_stream {
    82. 

  82. 	unsigned char i;
    83. 

  83. 	unsigned char j;
    84. 

  84. 	unsigned char s[256];
    85. 

  85. };
    86. 

  86. 

  87. #ifdef _WIN32
    88. 

  88. #define getpid _getpid
    89. 

  89. #define pid_t int
    90. 

  90. #endif
    91. 

  91. 

  92. static int rs_initialized;
    93. 

  93. static struct arc4_stream rs;
    94. 

  94. static pid_t arc4_stir_pid;
    95. 

  95. static int arc4_count;
    96. 

  96. 

  97. static inline unsigned char arc4_getbyte(void);
    98. 

  98. 

  99. static inline void
    100. 

  100. arc4_init(void)
    101. 

  101. {
    102. 

  102. 	int     n;
    103. 

  103. 

  104. 	for (n = 0; n < 256; n++)
    105. 

  105. 		rs.s[n] = n;
    106. 

  106. 	rs.i = 0;
    107. 

  107. 	rs.j = 0;
    108. 

  108. }
    109. 

  109. 

  110. static inline void
    111. 

  111. arc4_addrandom(const unsigned char *dat, int datlen)
    112. 

  112. {
    113. 

  113. 	int     n;
    114. 

  114. 	unsigned char si;
    115. 

  115. 

  116. 	rs.i--;
    117. 

  117. 	for (n = 0; n < 256; n++) {
    118. 

  118. 		rs.i = (rs.i + 1);
    119. 

  119. 		si = rs.s[rs.i];
    120. 

  120. 		rs.j = (rs.j + si + dat[n % datlen]);
    121. 

  121. 		rs.s[rs.i] = rs.s[rs.j];
    122. 

  122. 		rs.s[rs.j] = si;
    123. 

  123. 	}
    124. 

  124. 	rs.j = rs.i;
    125. 

  125. }
    126. 

  126. 

  127. #ifndef _WIN32
    128. 

  128. static ssize_t
    129. 

  129. read_all(int fd, unsigned char *buf, size_t count)
    130. 

  130. {
    131. 

  131. 	size_t numread = 0;
    132. 

  132. 	ssize_t result;
    133. 

  133. 

  134. 	while (numread < count) {
    135. 

  135. 		result = read(fd, buf+numread, count-numread);
    136. 

  136. 		if (result<0)
    137. 

  137. 			return -1;
    138. 

  138. 		else if (result == 0)
    139. 

  139. 			break;
    140. 

  140. 		numread += result;
    141. 

  141. 	}
    142. 

  142. 

  143. 	return (ssize_t)numread;
    144. 

  144. }
    145. 

  145. #endif
    146. 

  146. 

  147. #ifdef _WIN32
    148. 

  148. #define TRY_SEED_WIN32
    149. 

  149. static int
    150. 

  150. arc4_seed_win32(void)
    151. 

  151. {
    152. 

  152. 	/* This is adapted from Tor's crypto_seed_rng() */
    153. 

  153. 	static int provider_set = 0;
    154. 

  154. 	static HCRYPTPROV provider;
    155. 

  155. 	unsigned char buf[ADD_ENTROPY];
    156. 

  156. 

  157. 	if (!provider_set) {
    158. 

  158. 		if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
    159. 

  159. 		    CRYPT_VERIFYCONTEXT)) {
    160. 

  160. 			if (GetLastError() != (DWORD)NTE_BAD_KEYSET)
    161. 

  161. 				return -1;
    162. 

  162. 		}
    163. 

  163. 		provider_set = 1;
    164. 

  164. 	}
    165. 

  165. 	if (!CryptGenRandom(provider, sizeof(buf), buf))
    166. 

  166. 		return -1;
    167. 

  167. 	arc4_addrandom(buf, sizeof(buf));
    168. 

  168. 	evutil_memclear_(buf, sizeof(buf));
    169. 

  169. 	return 0;
    170. 

  170. }
    171. 

  171. #endif
    172. 

  172. 

  173. #if defined(EVENT__HAVE_GETRANDOM)
    174. 

  174. #define TRY_SEED_GETRANDOM
    175. 

  175. static int
    176. 

  176. arc4_seed_getrandom(void)
    177. 

  177. {
    178. 

  178. 	unsigned char buf[ADD_ENTROPY];
    179. 

  179. 	size_t len, n;
    180. 

  180. 	unsigned i;
    181. 

  181. 	int any_set;
    182. 

  182. 

  183. 	memset(buf, 0, sizeof(buf));
    184. 

  184. 

  185. 	for (len = 0; len < sizeof(buf); len += n) {
    186. 

  186. 		n = sizeof(buf) - len;
    187. 

  187. 

  188. 		if (0 == getrandom(&buf[len], n, 0))
    189. 

  189. 			return -1;
    190. 

  190. 	}
    191. 

  191. 	/* make sure that the buffer actually got set. */
    192. 

  192. 	for (i=0,any_set=0; i<sizeof(buf); ++i) {
    193. 

  193. 		any_set |= buf[i];
    194. 

  194. 	}
    195. 

  195. 	if (!any_set)
    196. 

  196. 		return -1;
    197. 

  197. 

  198. 	arc4_addrandom(buf, sizeof(buf));
    199. 

  199. 	evutil_memclear_(buf, sizeof(buf));
    200. 

  200. 	return 0;
    201. 

  201. }
    202. 

  202. #endif /* EVENT__HAVE_GETRANDOM */
    203. 

  203. 

  204. #if defined(EVENT__HAVE_SYS_SYSCTL_H) && defined(EVENT__HAVE_SYSCTL)
    205. 

  205. #if EVENT__HAVE_DECL_CTL_KERN && EVENT__HAVE_DECL_KERN_ARND
    206. 

  206. #define TRY_SEED_SYSCTL_BSD
    207. 

  207. static int
    208. 

  208. arc4_seed_sysctl_bsd(void)
    209. 

  209. {
    210. 

  210. 	/* Based on code from William Ahern and from OpenBSD, this function
    211. 

  211. 	 * tries to use the KERN_ARND syscall to get entropy from the kernel.
    212. 

  212. 	 * This can work even if /dev/urandom is inaccessible for some reason
    213. 

  213. 	 * (e.g., we're running in a chroot). */
    214. 

  214. 	int mib[] = { CTL_KERN, KERN_ARND };
    215. 

  215. 	unsigned char buf[ADD_ENTROPY];
    216. 

  216. 	size_t len, n;
    217. 

  217. 	int i, any_set;
    218. 

  218. 

  219. 	memset(buf, 0, sizeof(buf));
    220. 

  220. 

  221. 	len = sizeof(buf);
    222. 

  222. 	if (sysctl(mib, 2, buf, &len, NULL, 0) == -1) {
    223. 

  223. 		for (len = 0; len < sizeof(buf); len += sizeof(unsigned)) {
    224. 

  224. 			n = sizeof(unsigned);
    225. 

  225. 			if (n + len > sizeof(buf))
    226. 

  226. 			    n = len - sizeof(buf);
    227. 

  227. 			if (sysctl(mib, 2, &buf[len], &n, NULL, 0) == -1)
    228. 

  228. 				return -1;
    229. 

  229. 		}
    230. 

  230. 	}
    231. 

  231. 	/* make sure that the buffer actually got set. */
    232. 

  232. 	for (i=any_set=0; i<sizeof(buf); ++i) {
    233. 

  233. 		any_set |= buf[i];
    234. 

  234. 	}
    235. 

  235. 	if (!any_set)
    236. 

  236. 		return -1;
    237. 

  237. 

  238. 	arc4_addrandom(buf, sizeof(buf));
    239. 

  239. 	evutil_memclear_(buf, sizeof(buf));
    240. 

  240. 	return 0;
    241. 

  241. }
    242. 

  242. #endif
    243. 

  243. #endif /* defined(EVENT__HAVE_SYS_SYSCTL_H) */
    244. 

  244. 

  245. #ifdef __linux__
    246. 

  246. #define TRY_SEED_PROC_SYS_KERNEL_RANDOM_UUID
    247. 

  247. static int
    248. 

  248. arc4_seed_proc_sys_kernel_random_uuid(void)
    249. 

  249. {
    250. 

  250. 	/* Occasionally, somebody will make /proc/sys accessible in a chroot,
    251. 

  251. 	 * but not /dev/urandom.  Let's try /proc/sys/kernel/random/uuid.
    252. 

  252. 	 * Its format is stupid, so we need to decode it from hex.
    253. 

  253. 	 */
    254. 

  254. 	int fd;
    255. 

  255. 	char buf[128];
    256. 

  256. 	unsigned char entropy[64];
    257. 

  257. 	int bytes, n, i, nybbles;
    258. 

  258. 	for (bytes = 0; bytes<ADD_ENTROPY; ) {
    259. 

  259. 		fd = evutil_open_closeonexec_("/proc/sys/kernel/random/uuid", O_RDONLY, 0);
    260. 

  260. 		if (fd < 0)
    261. 

  261. 			return -1;
    262. 

  262. 		n = read(fd, buf, sizeof(buf));
    263. 

  263. 		close(fd);
    264. 

  264. 		if (n<=0)
    265. 

  265. 			return -1;
    266. 

  266. 		memset(entropy, 0, sizeof(entropy));
    267. 

  267. 		for (i=nybbles=0; i<n; ++i) {
    268. 

  268. 			if (EVUTIL_ISXDIGIT_(buf[i])) {
    269. 

  269. 				int nyb = evutil_hex_char_to_int_(buf[i]);
    270. 

  270. 				if (nybbles & 1) {
    271. 

  271. 					entropy[nybbles/2] |= nyb;
    272. 

  272. 				} else {
    273. 

  273. 					entropy[nybbles/2] |= nyb<<4;
    274. 

  274. 				}
    275. 

  275. 				++nybbles;
    276. 

  276. 			}
    277. 

  277. 		}
    278. 

  278. 		if (nybbles < 2)
    279. 

  279. 			return -1;
    280. 

  280. 		arc4_addrandom(entropy, nybbles/2);
    281. 

  281. 		bytes += nybbles/2;
    282. 

  282. 	}
    283. 

  283. 	evutil_memclear_(entropy, sizeof(entropy));
    284. 

  284. 	evutil_memclear_(buf, sizeof(buf));
    285. 

  285. 	return 0;
    286. 

  286. }
    287. 

  287. #endif
    288. 

  288. 

  289. #ifndef _WIN32
    290. 

  290. #define TRY_SEED_URANDOM
    291. 

  291. static char *arc4random_urandom_filename = NULL;
    292. 

  292. 

  293. static int arc4_seed_urandom_helper_(const char *fname)
    294. 

  294. {
    295. 

  295. 	unsigned char buf[ADD_ENTROPY];
    296. 

  296. 	int fd;
    297. 

  297. 	size_t n;
    298. 

  298. 

  299. 	fd = evutil_open_closeonexec_(fname, O_RDONLY, 0);
    300. 

  300. 	if (fd<0)
    301. 

  301. 		return -1;
    302. 

  302. 	n = read_all(fd, buf, sizeof(buf));
    303. 

  303. 	close(fd);
    304. 

  304. 	if (n != sizeof(buf))
    305. 

  305. 		return -1;
    306. 

  306. 	arc4_addrandom(buf, sizeof(buf));
    307. 

  307. 	evutil_memclear_(buf, sizeof(buf));
    308. 

  308. 	return 0;
    309. 

  309. }
    310. 

  310. 

  311. static int
    312. 

  312. arc4_seed_urandom(void)
    313. 

  313. {
    314. 

  314. 	/* This is adapted from Tor's crypto_seed_rng() */
    315. 

  315. 	static const char *filenames[] = {
    316. 

  316. 		"/dev/srandom", "/dev/urandom", "/dev/random", NULL
    317. 

  317. 	};
    318. 

  318. 	int i;
    319. 

  319. 	if (arc4random_urandom_filename)
    320. 

  320. 		return arc4_seed_urandom_helper_(arc4random_urandom_filename);
    321. 

  321. 

  322. 	for (i = 0; filenames[i]; ++i) {
    323. 

  323. 		if (arc4_seed_urandom_helper_(filenames[i]) == 0) {
    324. 

  324. 			return 0;
    325. 

  325. 		}
    326. 

  326. 	}
    327. 

  327. 

  328. 	return -1;
    329. 

  329. }
    330. 

  330. #endif
    331. 

  331. 

  332. static int
    333. 

  333. arc4_seed(void)
    334. 

  334. {
    335. 

  335. 	int ok = 0;
    336. 

  336. 	/* We try every method that might work, and don't give up even if one
    337. 

  337. 	 * does seem to work.  There's no real harm in over-seeding, and if
    338. 

  338. 	 * one of these sources turns out to be broken, that would be bad. */
    339. 

  339. #ifdef TRY_SEED_WIN32
    340. 

  340. 	if (0 == arc4_seed_win32())
    341. 

  341. 		ok = 1;
    342. 

  342. #endif
    343. 

  343. #ifdef TRY_SEED_GETRANDOM
    344. 

  344. 	if (0 == arc4_seed_getrandom())
    345. 

  345. 		ok = 1;
    346. 

  346. #endif
    347. 

  347. #ifdef TRY_SEED_URANDOM
    348. 

  348. 	if (0 == arc4_seed_urandom())
    349. 

  349. 		ok = 1;
    350. 

  350. #endif
    351. 

  351. #ifdef TRY_SEED_PROC_SYS_KERNEL_RANDOM_UUID
    352. 

  352. 	if (arc4random_urandom_filename == NULL &&
    353. 

  353. 	    0 == arc4_seed_proc_sys_kernel_random_uuid())
    354. 

  354. 		ok = 1;
    355. 

  355. #endif
    356. 

  356. #ifdef TRY_SEED_SYSCTL_BSD
    357. 

  357. 	if (0 == arc4_seed_sysctl_bsd())
    358. 

  358. 		ok = 1;
    359. 

  359. #endif
    360. 

  360. 	return ok ? 0 : -1;
    361. 

  361. }
    362. 

  362. 

  363. static int
    364. 

  364. arc4_stir(void)
    365. 

  365. {
    366. 

  366. 	int     i;
    367. 

  367. 

  368. 	if (!rs_initialized) {
    369. 

  369. 		arc4_init();
    370. 

  370. 		rs_initialized = 1;
    371. 

  371. 	}
    372. 

  372. 

  373. 	if (0 != arc4_seed())
    374. 

  374. 		return -1;
    375. 

  375. 

  376. 	/*
    377. 

  377. 	 * Discard early keystream, as per recommendations in
    378. 

  378. 	 * "Weaknesses in the Key Scheduling Algorithm of RC4" by
    379. 

  379. 	 * Scott Fluhrer, Itsik Mantin, and Adi Shamir.
    380. 

  380. 	 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
    381. 

  381. 	 *
    382. 

  382. 	 * Ilya Mironov's "(Not So) Random Shuffles of RC4" suggests that
    383. 

  383. 	 * we drop at least 2*256 bytes, with 12*256 as a conservative
    384. 

  384. 	 * value.
    385. 

  385. 	 *
    386. 

  386. 	 * RFC4345 says to drop 6*256.
    387. 

  387. 	 *
    388. 

  388. 	 * At least some versions of this code drop 4*256, in a mistaken
    389. 

  389. 	 * belief that "words" in the Fluhrer/Mantin/Shamir paper refers
    390. 

  390. 	 * to processor words.
    391. 

  391. 	 *
    392. 

  392. 	 * We add another sect to the cargo cult, and choose 12*256.
    393. 

  393. 	 */
    394. 

  394. 	for (i = 0; i < 12*256; i++)
    395. 

  395. 		(void)arc4_getbyte();
    396. 

  396. 

  397. 	arc4_count = BYTES_BEFORE_RESEED;
    398. 

  398. 

  399. 	return 0;
    400. 

  400. }
    401. 

  401. 

  402. 

  403. static void
    404. 

  404. arc4_stir_if_needed(void)
    405. 

  405. {
    406. 

  406. 	pid_t pid = getpid();
    407. 

  407. 

  408. 	if (arc4_count <= 0 || !rs_initialized || arc4_stir_pid != pid)
    409. 

  409. 	{
    410. 

  410. 		arc4_stir_pid = pid;
    411. 

  411. 		arc4_stir();
    412. 

  412. 	}
    413. 

  413. }
    414. 

  414. 

  415. static inline unsigned char
    416. 

  416. arc4_getbyte(void)
    417. 

  417. {
    418. 

  418. 	unsigned char si, sj;
    419. 

  419. 

  420. 	rs.i = (rs.i + 1);
    421. 

  421. 	si = rs.s[rs.i];
    422. 

  422. 	rs.j = (rs.j + si);
    423. 

  423. 	sj = rs.s[rs.j];
    424. 

  424. 	rs.s[rs.i] = sj;
    425. 

  425. 	rs.s[rs.j] = si;
    426. 

  426. 	return (rs.s[(si + sj) & 0xff]);
    427. 

  427. }
    428. 

  428. 

  429. static inline unsigned int
    430. 

  430. arc4_getword(void)
    431. 

  431. {
    432. 

  432. 	unsigned int val;
    433. 

  433. 

  434. 	val = arc4_getbyte() << 24;
    435. 

  435. 	val |= arc4_getbyte() << 16;
    436. 

  436. 	val |= arc4_getbyte() << 8;
    437. 

  437. 	val |= arc4_getbyte();
    438. 

  438. 

  439. 	return val;
    440. 

  440. }
    441. 

  441. 

  442. #ifndef ARC4RANDOM_NOSTIR
    443. 

  443. ARC4RANDOM_EXPORT int
    444. 

  444. arc4random_stir(void)
    445. 

  445. {
    446. 

  446. 	int val;
    447. 

  447. 	ARC4_LOCK_();
    448. 

  448. 	val = arc4_stir();
    449. 

  449. 	ARC4_UNLOCK_();
    450. 

  450. 	return val;
    451. 

  451. }
    452. 

  452. #endif
    453. 

  453. 

  454. #ifndef ARC4RANDOM_NOADDRANDOM
    455. 

  455. ARC4RANDOM_EXPORT void
    456. 

  456. arc4random_addrandom(const unsigned char *dat, int datlen)
    457. 

  457. {
    458. 

  458. 	int j;
    459. 

  459. 	ARC4_LOCK_();
    460. 

  460. 	if (!rs_initialized)
    461. 

  461. 		arc4_stir();
    462. 

  462. 	for (j = 0; j < datlen; j += 256) {
    463. 

  463. 		/* arc4_addrandom() ignores all but the first 256 bytes of
    464. 

  464. 		 * its input.  We want to make sure to look at ALL the
    465. 

  465. 		 * data in 'dat', just in case the user is doing something
    466. 

  466. 		 * crazy like passing us all the files in /var/log. */
    467. 

  467. 		arc4_addrandom(dat + j, datlen - j);
    468. 

  468. 	}
    469. 

  469. 	ARC4_UNLOCK_();
    470. 

  470. }
    471. 

  471. #endif
    472. 

  472. 

  473. #ifndef ARC4RANDOM_NORANDOM
    474. 

  474. ARC4RANDOM_EXPORT ARC4RANDOM_UINT32
    475. 

  475. arc4random(void)
    476. 

  476. {
    477. 

  477. 	ARC4RANDOM_UINT32 val;
    478. 

  478. 	ARC4_LOCK_();
    479. 

  479. 	arc4_count -= 4;
    480. 

  480. 	arc4_stir_if_needed();
    481. 

  481. 	val = arc4_getword();
    482. 

  482. 	ARC4_UNLOCK_();
    483. 

  483. 	return val;
    484. 

  484. }
    485. 

  485. #endif
    486. 

  486. 

  487. ARC4RANDOM_EXPORT void
    488. 

  488. arc4random_buf(void *buf_, size_t n)
    489. 

  489. {
    490. 

  490. 	unsigned char *buf = buf_;
    491. 

  491. 	ARC4_LOCK_();
    492. 

  492. 	arc4_stir_if_needed();
    493. 

  493. 	while (n--) {
    494. 

  494. 		if (--arc4_count <= 0)
    495. 

  495. 			arc4_stir();
    496. 

  496. 		buf[n] = arc4_getbyte();
    497. 

  497. 	}
    498. 

  498. 	ARC4_UNLOCK_();
    499. 

  499. }
    500. 

  500. 

  501. #ifndef ARC4RANDOM_NOUNIFORM
    502. 

  502. /*
    503. 

  503.  * Calculate a uniformly distributed random number less than upper_bound
    504. 

  504.  * avoiding "modulo bias".
    505. 

  505.  *
    506. 

  506.  * Uniformity is achieved by generating new random numbers until the one
    507. 

  507.  * returned is outside the range [0, 2**32 % upper_bound).  This
    508. 

  508.  * guarantees the selected random number will be inside
    509. 

  509.  * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
    510. 

  510.  * after reduction modulo upper_bound.
    511. 

  511.  */
    512. 

  512. ARC4RANDOM_EXPORT unsigned int
    513. 

  513. arc4random_uniform(unsigned int upper_bound)
    514. 

  514. {
    515. 

  515. 	ARC4RANDOM_UINT32 r, min;
    516. 

  516. 

  517. 	if (upper_bound < 2)
    518. 

  518. 		return 0;
    519. 

  519. 

  520. #if (UINT_MAX > 0xffffffffUL)
    521. 

  521. 	min = 0x100000000UL % upper_bound;
    522. 

  522. #else
    523. 

  523. 	/* Calculate (2**32 % upper_bound) avoiding 64-bit math */
    524. 

  524. 	if (upper_bound > 0x80000000)
    525. 

  525. 		min = 1 + ~upper_bound;		/* 2**32 - upper_bound */
    526. 

  526. 	else {
    527. 

  527. 		/* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
    528. 

  528. 		min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
    529. 

  529. 	}
    530. 

  530. #endif
    531. 

  531. 

  532. 	/*
    533. 

  533. 	 * This could theoretically loop forever but each retry has
    534. 

  534. 	 * p > 0.5 (worst case, usually far better) of selecting a
    535. 

  535. 	 * number inside the range we need, so it should rarely need
    536. 

  536. 	 * to re-roll.
    537. 

  537. 	 */
    538. 

  538. 	for (;;) {
    539. 

  539. 		r = arc4random();
    540. 

  540. 		if (r >= min)
    541. 

  541. 			break;
    542. 

  542. 	}
    543. 

  543. 

  544. 	return r % upper_bound;
    545. 

  545. }
    546. 

  546. #endif
    547.