1) Initialize arc4_i and arc4_j to 0 after key mixing as recommended in

draft-kaukonen-cipher-arcfour-03.txt (3.1.5) 2) Drop first 768 bytes as standard RC4-drop(768)
author: ache <ache@FreeBSD.org> 2008-07-22 16:16:51 +0000
committer: ache <ache@FreeBSD.org> 2008-07-22 16:16:51 +0000
commit: d7f1be43bedf5650c4c221a13f9c55b8f85e0a38 (patch)
tree: 20e8fba124c282d593c5d23047e6b446adafb1d5 /sys/libkern
parent: 91cafa1d13867d970b53a082f703e5e007e461d5 (diff)
download: FreeBSD-src-d7f1be43bedf5650c4c221a13f9c55b8f85e0a38.zip
FreeBSD-src-d7f1be43bedf5650c4c221a13f9c55b8f85e0a38.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/libkern/arc4random.c b/sys/libkern/arc4random.c
index 3a3227c..c0d1583 100644
--- a/sys/libkern/arc4random.c
+++ b/sys/libkern/arc4random.c
@@ -69,18 +69,21 @@ arc4_randomstir (void)
 		arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
 		arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
 	}
+	arc4_i = arc4_j = 0;
 
 	/* Reset for next reseed cycle. */
 	arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
 	arc4_numruns = 0;
 
 	/*
-	 * Throw away the first N words of output, as suggested in the
+	 * Throw away the first N bytes of output, as suggested in the
 	 * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
-	 * by Fluher, Mantin, and Shamir.  (N = 256 in our case.)
+	 * by Fluher, Mantin, and Shamir.  N=768 is based on
+	 * suggestions in the paper "(Not So) Random Shuffles of RC4"
+	 * by Ilya Mironov.
 	 */
-	for (n = 0; n < 256*4; n++)
-		arc4_randbyte();
+	for (n = 0; n < 768; n++)
+		(void)arc4_randbyte();
 	mtx_unlock(&arc4_mtx);
 }
author	ache <ache@FreeBSD.org>	2008-07-22 16:16:51 +0000
committer	ache <ache@FreeBSD.org>	2008-07-22 16:16:51 +0000
commit	d7f1be43bedf5650c4c221a13f9c55b8f85e0a38 (patch)
tree	20e8fba124c282d593c5d23047e6b446adafb1d5 /sys/libkern
parent	91cafa1d13867d970b53a082f703e5e007e461d5 (diff)
download	FreeBSD-src-d7f1be43bedf5650c4c221a13f9c55b8f85e0a38.zip FreeBSD-src-d7f1be43bedf5650c4c221a13f9c55b8f85e0a38.tar.gz