hm... predictable is not a good term in the domain of a PRNG.
However the time value will not be used by itself. It is part of an
encrypt operation with itself + buf and a previous RC4 state, at least
after the second call to arc4_stir.
So, maybe this has no meaning at all. However I would "recommend" to
check this very thoroughly before changing any line of that code.
Maybe you'll add a weakness by removing the time value.
I would recommend to do the follwoing, and I'm trying to do it myself
during the next few days.
1.) Rewrite arc4random() and arc4random_buf() to "store" all random
values from boot time until the establishment of a few IPSEC tunnels.
2.) Repeat that procedure a few times, i.e. reboot, ipsec, store,
reboot, ipsec, store, etc.
3.) Take all those pseudo random value sequences and feed them into
the NIST test suite for random values (chi-square, diehard, etc.)
4.) Repeat those steps after the removal of the time value from the code.
5.) Try to interpret the outcome of the NIST tests. Maybe other people
(real cryptographers) should help with this last step.
Regards
Kurt Knochner
http://knochner.com/
