--- a/libtomcrypt/src/prngs/rc4.c	Sat Jun 24 23:33:16 2017 +0800
+++ b/libtomcrypt/src/prngs/rc4.c	Fri Feb 09 23:49:22 2018 +0800
@@ -5,44 +5,45 @@
  *
  * The library is free for all purposes without any express
  * guarantee it works.
- *
- * Tom St Denis, [email protected], http://libtom.org
  */
 #include "tomcrypt.h"
 
 /**
-  @file rc4.c
-  LTC_RC4 PRNG, Tom St Denis
-*/  
+  @file prngs/rc4.c
+  RC4 PRNG, Tom St Denis
+*/
 
 #ifdef LTC_RC4
 
-const struct ltc_prng_descriptor rc4_desc = 
+const struct ltc_prng_descriptor rc4_desc =
 {
-   "rc4", 32,
-    &rc4_start,
-    &rc4_add_entropy,
-    &rc4_ready,
-    &rc4_read,
-    &rc4_done,
-    &rc4_export,
-    &rc4_import,
-    &rc4_test
+   "rc4",
+   32,
+   &rc4_start,
+   &rc4_add_entropy,
+   &rc4_ready,
+   &rc4_read,
+   &rc4_done,
+   &rc4_export,
+   &rc4_import,
+   &rc4_test
 };
 
 /**
   Start the PRNG
   @param prng     [out] The PRNG state to initialize
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_start(prng_state *prng)
 {
-    LTC_ARGCHK(prng != NULL);
-
-    /* set keysize to zero */
-    prng->rc4.x = 0;
-    
-    return CRYPT_OK;
+   LTC_ARGCHK(prng != NULL);
+   prng->ready = 0;
+   /* set entropy (key) size to zero */
+   prng->rc4.s.x = 0;
+   /* clear entropy (key) buffer */
+   XMEMSET(&prng->rc4.s.buf, 0, sizeof(prng->rc4.s.buf));
+   LTC_MUTEX_INIT(&prng->lock)
+   return CRYPT_OK;
 }
 
 /**
@@ -51,68 +52,63 @@
   @param inlen    Length of the data to add
   @param prng     PRNG state to update
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
-    LTC_ARGCHK(in  != NULL);
-    LTC_ARGCHK(prng != NULL);
- 
-    /* trim as required */
-    if (prng->rc4.x + inlen > 256) {
-       if (prng->rc4.x == 256) {
-          /* I can't possibly accept another byte, ok maybe a mint wafer... */
-          return CRYPT_OK;
-       } else {
-          /* only accept part of it */
-          inlen = 256 - prng->rc4.x;
-       }       
-    }
+   unsigned char buf[256];
+   unsigned long i;
+   int err;
+
+   LTC_ARGCHK(prng != NULL);
+   LTC_ARGCHK(in != NULL);
+   LTC_ARGCHK(inlen > 0);
 
-    while (inlen--) {
-       prng->rc4.buf[prng->rc4.x++] = *in++;
-    }
-
-    return CRYPT_OK;
-    
+   LTC_MUTEX_LOCK(&prng->lock);
+   if (prng->ready) {
+      /* rc4_ready() was already called, do "rekey" operation */
+      if ((err = rc4_stream_keystream(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
+      for(i = 0; i < inlen; i++) buf[i % sizeof(buf)] ^= in[i];
+      /* initialize RC4 */
+      if ((err = rc4_stream_setup(&prng->rc4.s, buf, sizeof(buf))) != CRYPT_OK) goto LBL_UNLOCK;
+      /* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */
+      for (i = 0; i < 12; i++) rc4_stream_keystream(&prng->rc4.s, buf, sizeof(buf));
+      zeromem(buf, sizeof(buf));
+   }
+   else {
+      /* rc4_ready() was not called yet, add entropy to the buffer */
+      while (inlen--) prng->rc4.s.buf[prng->rc4.s.x++ % sizeof(prng->rc4.s.buf)] ^= *in++;
+   }
+   err = CRYPT_OK;
+LBL_UNLOCK:
+   LTC_MUTEX_UNLOCK(&prng->lock);
+   return err;
 }
 
 /**
   Make the PRNG ready to read from
   @param prng   The PRNG to make active
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_ready(prng_state *prng)
 {
-    unsigned char key[256], tmp, *s;
-    int keylen, x, y, j;
-
-    LTC_ARGCHK(prng != NULL);
+   unsigned char buf[256] = { 0 };
+   unsigned long len;
+   int err, i;
 
-    /* extract the key */
-    s = prng->rc4.buf;
-    XMEMCPY(key, s, 256);
-    keylen = prng->rc4.x;
-
-    /* make LTC_RC4 perm and shuffle */
-    for (x = 0; x < 256; x++) {
-        s[x] = x;
-    }
+   LTC_ARGCHK(prng != NULL);
 
-    for (j = x = y = 0; x < 256; x++) {
-        y = (y + prng->rc4.buf[x] + key[j++]) & 255;
-        if (j == keylen) {
-           j = 0; 
-        }
-        tmp = s[x]; s[x] = s[y]; s[y] = tmp;
-    }
-    prng->rc4.x = 0;
-    prng->rc4.y = 0;
-
-#ifdef LTC_CLEAN_STACK
-    zeromem(key, sizeof(key));
-#endif
-
-    return CRYPT_OK;
+   LTC_MUTEX_LOCK(&prng->lock);
+   if (prng->ready) { err = CRYPT_OK; goto LBL_UNLOCK; }
+   XMEMCPY(buf, prng->rc4.s.buf, sizeof(buf));
+   /* initialize RC4 */
+   len = MIN(prng->rc4.s.x, 256); /* TODO: we can perhaps always use all 256 bytes */
+   if ((err = rc4_stream_setup(&prng->rc4.s, buf, len)) != CRYPT_OK) goto LBL_UNLOCK;
+   /* drop first 3072 bytes - https://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack */
+   for (i = 0; i < 12; i++) rc4_stream_keystream(&prng->rc4.s, buf, sizeof(buf));
+   prng->ready = 1;
+LBL_UNLOCK:
+   LTC_MUTEX_UNLOCK(&prng->lock);
+   return err;
 }
 
 /**
@@ -121,44 +117,33 @@
   @param outlen   Length of output
   @param prng     The active PRNG to read from
   @return Number of octets read
-*/  
+*/
 unsigned long rc4_read(unsigned char *out, unsigned long outlen, prng_state *prng)
 {
-   unsigned char x, y, *s, tmp;
-   unsigned long n;
-
-   LTC_ARGCHK(out != NULL);
-   LTC_ARGCHK(prng != NULL);
-
-#ifdef LTC_VALGRIND
-   zeromem(out, outlen);
-#endif
-
-   n = outlen;
-   x = prng->rc4.x;
-   y = prng->rc4.y;
-   s = prng->rc4.buf;
-   while (outlen--) {
-      x = (x + 1) & 255;
-      y = (y + s[x]) & 255;
-      tmp = s[x]; s[x] = s[y]; s[y] = tmp;
-      tmp = (s[x] + s[y]) & 255;
-      *out++ ^= s[tmp];
-   }
-   prng->rc4.x = x;
-   prng->rc4.y = y;
-   return n;
+   if (outlen == 0 || prng == NULL || out == NULL) return 0;
+   LTC_MUTEX_LOCK(&prng->lock);
+   if (!prng->ready) { outlen = 0; goto LBL_UNLOCK; }
+   if (rc4_stream_keystream(&prng->rc4.s, out, outlen) != CRYPT_OK) outlen = 0;
+LBL_UNLOCK:
+   LTC_MUTEX_UNLOCK(&prng->lock);
+   return outlen;
 }
 
 /**
   Terminate the PRNG
   @param prng   The PRNG to terminate
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_done(prng_state *prng)
 {
+   int err;
    LTC_ARGCHK(prng != NULL);
-   return CRYPT_OK;
+   LTC_MUTEX_LOCK(&prng->lock);
+   prng->ready = 0;
+   err = rc4_stream_done(&prng->rc4.s);
+   LTC_MUTEX_UNLOCK(&prng->lock);
+   LTC_MUTEX_DESTROY(&prng->lock);
+   return err;
 }
 
 /**
@@ -167,103 +152,99 @@
   @param outlen    [in/out] Max size and resulting size of the state
   @param prng      The PRNG to export
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
 {
-   LTC_ARGCHK(outlen != NULL);
-   LTC_ARGCHK(out    != NULL);
+   unsigned long len = rc4_desc.export_size;
+
    LTC_ARGCHK(prng   != NULL);
+   LTC_ARGCHK(out    != NULL);
+   LTC_ARGCHK(outlen != NULL);
 
-   if (*outlen < 32) {
-      *outlen = 32;
+   if (*outlen < len) {
+      *outlen = len;
       return CRYPT_BUFFER_OVERFLOW;
    }
 
-   if (rc4_read(out, 32, prng) != 32) {
+   if (rc4_read(out, len, prng) != len) {
       return CRYPT_ERROR_READPRNG;
    }
-   *outlen = 32;
 
+   *outlen = len;
    return CRYPT_OK;
 }
- 
+
 /**
   Import a PRNG state
   @param in       The PRNG state
   @param inlen    Size of the state
   @param prng     The PRNG to import
   @return CRYPT_OK if successful
-*/  
+*/
 int rc4_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
    int err;
-   LTC_ARGCHK(in   != NULL);
-   LTC_ARGCHK(prng != NULL);
 
-   if (inlen != 32) {
-      return CRYPT_INVALID_ARG;
-   }
-   
-   if ((err = rc4_start(prng)) != CRYPT_OK) {
-      return err;
-   }
-   return rc4_add_entropy(in, 32, prng);
+   LTC_ARGCHK(prng != NULL);
+   LTC_ARGCHK(in   != NULL);
+   if (inlen < (unsigned long)rc4_desc.export_size) return CRYPT_INVALID_ARG;
+
+   if ((err = rc4_start(prng)) != CRYPT_OK)                  return err;
+   if ((err = rc4_add_entropy(in, inlen, prng)) != CRYPT_OK) return err;
+   return CRYPT_OK;
 }
 
 /**
   PRNG self-test
   @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
-*/  
+*/
 int rc4_test(void)
 {
-#if !defined(LTC_TEST) || defined(LTC_VALGRIND)
+#ifndef LTC_TEST
    return CRYPT_NOP;
 #else
-   static const struct {
-      unsigned char key[8], pt[8], ct[8];
-   } tests[] = {
-{
-   { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef },
-   { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef },
-   { 0x75, 0xb7, 0x87, 0x80, 0x99, 0xe0, 0xc5, 0x96 }
-}
-};
-   prng_state prng;
-   unsigned char dst[8];
-   int err, x;
+   prng_state st;
+   unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+                          0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
+                          0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
+                          0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
+                          0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
+   unsigned char dmp[500];
+   unsigned long dmplen = sizeof(dmp);
+   unsigned char out[1000];
+   unsigned char t1[] = { 0xE0, 0x4D, 0x9A, 0xF6, 0xA8, 0x9D, 0x77, 0x53, 0xAE, 0x09 };
+   unsigned char t2[] = { 0xEF, 0x80, 0xA2, 0xE6, 0x50, 0x91, 0xF3, 0x17, 0x4A, 0x8A };
+   unsigned char t3[] = { 0x4B, 0xD6, 0x5C, 0x67, 0x99, 0x03, 0x56, 0x12, 0x80, 0x48 };
+   int err;
 
-   for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
-       if ((err = rc4_start(&prng)) != CRYPT_OK) {
-          return err;
-       }
-       if ((err = rc4_add_entropy(tests[x].key, 8, &prng)) != CRYPT_OK) {
-          return err;
-       }
-       if ((err = rc4_ready(&prng)) != CRYPT_OK) {
-          return err;
-       }
-       XMEMCPY(dst, tests[x].pt, 8);
-       if (rc4_read(dst, 8, &prng) != 8) {
-          return CRYPT_ERROR_READPRNG;
-       }
-       rc4_done(&prng);
-       if (XMEMCMP(dst, tests[x].ct, 8)) {
-#if 0
-          int y;
-          printf("\n\nLTC_RC4 failed, I got:\n"); 
-          for (y = 0; y < 8; y++) printf("%02x ", dst[y]);
-          printf("\n");
-#endif
-          return CRYPT_FAIL_TESTVECTOR;
-       }
-   }
+   if ((err = rc4_start(&st)) != CRYPT_OK)                         return err;
+   /* add entropy to uninitialized prng */
+   if ((err = rc4_add_entropy(en, sizeof(en), &st)) != CRYPT_OK)   return err;
+   if ((err = rc4_ready(&st)) != CRYPT_OK)                         return err;
+   if (rc4_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+   if (compare_testvector(out, 10, t1, sizeof(t1), "RC4-PRNG", 1)) return CRYPT_FAIL_TESTVECTOR;
+   if (rc4_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+   /* add entropy to already initialized prng */
+   if ((err = rc4_add_entropy(en, sizeof(en), &st)) != CRYPT_OK)   return err;
+   if (rc4_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+   if ((err = rc4_export(dmp, &dmplen, &st)) != CRYPT_OK)          return err;
+   if (rc4_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+   if (rc4_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+   if (compare_testvector(out, 10, t2, sizeof(t2), "RC4-PRNG", 2)) return CRYPT_FAIL_TESTVECTOR;
+   if ((err = rc4_done(&st)) != CRYPT_OK)                          return err;
+   if ((err = rc4_import(dmp, dmplen, &st)) != CRYPT_OK)           return err;
+   if ((err = rc4_ready(&st)) != CRYPT_OK)                         return err;
+   if (rc4_read(out, 500, &st) != 500)                             return CRYPT_ERROR_READPRNG; /* skip 500 bytes */
+   if (rc4_read(out, 10, &st) != 10)                               return CRYPT_ERROR_READPRNG; /* 10 bytes for testing */
+   if (compare_testvector(out, 10, t3, sizeof(t3), "RC4-PRNG", 3)) return CRYPT_FAIL_TESTVECTOR;
+   if ((err = rc4_done(&st)) != CRYPT_OK)                          return err;
+
    return CRYPT_OK;
 #endif
 }
 
 #endif
 
-
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */