Discard first 256 bytes of keystream, as per recommendation in

"Weaknesses in the Key Scheduling Algorithm of RC4", Fluhrer, Mantin and
Shamir. ok itojun@

1 files changed, 10 insertions, 1 deletions

diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
index 5e3b2925a6..5b376488ec 100644
--- a/src/lib/libc/crypt/arc4random.c
+++ b/src/lib/libc/crypt/arc4random.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: arc4random.c,v 1.9 2003/08/16 19:07:40 tedu Exp $     */
+/*      $OpenBSD: arc4random.c,v 1.10 2003/11/26 21:40:08 djm Exp $     */
 
 /*
  * Arc4 random number generator for OpenBSD.
@@ -48,6 +48,8 @@ static int rs_initialized;
 static struct arc4_stream rs;
 static pid_t arc4_stir_pid;
 
+static inline u_int8_t arc4_getbyte(struct arc4_stream *);
+
 static inline void
 arc4_init(struct arc4_stream *as)
 {
@@ -98,6 +100,13 @@ arc4_stir(struct arc4_stream *as)
 
         arc4_stir_pid = getpid();
         arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
+
+        /*
+         * Discard early keystream, as per recommendations in:
+         * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
+         */
+        for (i = 0; i < 256; i++)
+                (void) arc4_getbyte(as);
 }
 
 static inline u_int8_t