If RC4_MITIGATE is defined, discard the first 3072 pseudorandom bytes

author Matthew Mondor <mmondor@pulsar-zone.net>

Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)

committer Matthew Mondor <mmondor@pulsar-zone.net>

Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)
author Matthew Mondor <mmondor@pulsar-zone.net>
Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)
committer Matthew Mondor <mmondor@pulsar-zone.net>
Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)
diff --git a/src/rc4.c b/src/rc4.c

index 22bbebf..0eb4873 100644 (file)
--- a/src/rc4.c
+++ b/src/rc4.c
@@ -74,7 +74,33 @@ void *rc4_initstate(unsigned char *key, int keylen)
        if(idx1 >= keylen)
           idx1 = 0;
     }
-   
+
+#ifdef RC4_MITIGATE
+   /*
+    * Discard the first 3072 pseudorandom bytes to mitigate some arcfour
+    * vulnerabilities related to the weak key scheduling algorithm.
+    * Unfortunately this makes the implementation incompatible with legacy
+    * ones, meaning that all servers of the network should enable this at the
+    * same time.  Ideally, inter-server links should eventually use SSL.
+    */
+   {
+          RC4BYTE *s = rc4->mstate;
+          RC4DWORD x, y, a, b;
+
+          for (x = rc4->x, y = rc4->y, i = 0;
+               i < 3072; i++) {
+                  x = (x + 1) & 0xff;
+                  a = s[x];
+                  y = (y + a) & 0xff;
+                  b = s[y];
+                  s[x] = b;
+                  s[y] = a;
+          }
+          rc4->x = (RC4BYTE)x;
+          rc4->y = (RC4BYTE)y;
+   }
+#endif
+
     return (void *) rc4;
  }
author	Matthew Mondor <mmondor@pulsar-zone.net>
	Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)
committer	Matthew Mondor <mmondor@pulsar-zone.net>
	Sun, 28 Aug 2016 10:38:16 +0000 (10:38 +0000)