Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/sys/dev/rndpool.c

319 lines
8.1 KiB
C
Raw Normal View History

portability fix: when rotating, don't do shifts >= wordsize.
2000-06-10 21:01:15 +04:00
/* $NetBSD: rndpool.c,v 1.10 2000/06/10 17:01:15 sommerfeld Exp $ */
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/*-
* Copyright (c) 1997 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
Update notice to indicate the the IDEAS were derived from Ted's code, not the code itself, per phone conversation with Ted
1997-10-13 23:59:26 +04:00
* by Michael Graff <explorer@flame.org>. This code uses ideas and
* algorithms from the Linux driver written by Ted Ts'o.
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/param.h>
#include <sys/types.h>
#include <sys/systm.h>
Move RND_ENTROPY_THRESHOLD to sys/rnd.h. Use sha1 rather than md5, and release the first 96 bits of the hash directly rather than by folding. The full 160 bit hash is mixed back into the entropy pool. This keeps 64 bits secret to stir the pool with.
1998-05-27 04:59:14 +04:00
#include <sys/sha1.h>
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
#include <sys/rnd.h>
/*
* The random pool "taps"
*/
Don't pretned to maintain an internal "global" entropy pool. In-kernel locking cannot be done with it, and that sort of thing probably should not be shared anyway.
1997-10-20 19:03:19 +04:00
#define TAP1 99
#define TAP2 59
#define TAP3 31
#define TAP4 9
#define TAP5 7
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
static inline void rndpool_add_one_word(rndpool_t *, u_int32_t);
void
rndpool_init(rp)
rndpool_t *rp;
{
KNF anality.
1999-01-27 13:41:00 +03:00
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
rp->cursor = 0;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
rp->rotate = 0;
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
memset(&rp->stats, 0, sizeof(rp->stats));
rp->stats.curentropy = 0;
rp->stats.poolsize = RND_POOLWORDS;
rp->stats.threshold = RND_ENTROPY_THRESHOLD;
rp->stats.maxentropy = RND_POOLBITS;
assert(RND_ENTROPY_THRESHOLD*2 <= 20); /* XXX sha knowledge */
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
u_int32_t
rndpool_get_entropy_count(rp)
rndpool_t *rp;
{
KNF anality.
1999-01-27 13:41:00 +03:00
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
return rp->stats.curentropy;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
void rndpool_get_stats(rp, rsp, size)
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
rndpool_t *rp;
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
void *rsp;
int size;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
{
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
memcpy(rsp, &rp->stats, size);
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
void
rndpool_increment_entropy_count(rp, entropy)
rndpool_t *rp;
u_int32_t entropy;
{
KNF anality.
1999-01-27 13:41:00 +03:00
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
rp->stats.curentropy += entropy;
rp->stats.added += entropy;
if (rp->stats.curentropy > RND_POOLBITS) {
rp->stats.discarded += (rp->stats.curentropy - RND_POOLBITS);
rp->stats.curentropy = RND_POOLBITS;
}
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
u_int32_t *
rndpool_get_pool(rp)
rndpool_t *rp;
{
KNF anality.
1999-01-27 13:41:00 +03:00
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
return (rp->pool);
}
u_int32_t
rndpool_get_poolsize(void)
{
KNF anality.
1999-01-27 13:41:00 +03:00
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
return (RND_POOLWORDS);
}
/*
* Add one word to the pool, rotating the input as needed.
*/
static inline void
rndpool_add_one_word(rp, val)
rndpool_t *rp;
u_int32_t val;
{
/*
* Steal some values out of the pool, and xor them into the
* word we were given.
*
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
* Mix the new value into the pool using xor. This will
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
* prevent the actual values from being known to the caller
* since the previous values are assumed to be unknown as well.
*/
val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)];
val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)];
val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)];
val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)];
Don't pretned to maintain an internal "global" entropy pool. In-kernel locking cannot be done with it, and that sort of thing probably should not be shared anyway.
1997-10-20 19:03:19 +04:00
val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)];
portability fix: when rotating, don't do shifts >= wordsize.
2000-06-10 21:01:15 +04:00
if (rp->rotate != 0)
val = ((val << rp->rotate) | (val >> (32 - rp->rotate)));
rp->pool[rp->cursor++] ^= val;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/*
* If we have looped around the pool, increment the rotate
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
* variable so the next value will get xored in rotated to
* a different position.
* Increment by a value that is relativly prime to the word size
* to try to spread the bits throughout the pool quickly when the
* pool is empty.
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
*/
if (rp->cursor == RND_POOLWORDS) {
rp->cursor = 0;
rp->rotate = (rp->rotate + 7) & 31;
}
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
#if 0
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/*
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
* Stir a 32-bit value (with possibly less entropy than that) into the pool.
* Update entropy estimate.
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
*/
void
rndpool_add_uint32(rp, val, entropy)
rndpool_t *rp;
u_int32_t val;
u_int32_t entropy;
{
rndpool_add_one_word(rp, val);
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
rp->entropy += entropy;
rp->stats.added += entropy;
if (rp->entropy > RND_POOLBITS) {
rp->stats.discarded += (rp->entropy - RND_POOLBITS);
rp->entropy = RND_POOLBITS;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
#endif
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/*
* add a buffer's worth of data to the pool.
*/
void
rndpool_add_data(rp, p, len, entropy)
rndpool_t *rp;
void *p;
u_int32_t len;
u_int32_t entropy;
{
u_int32_t val;
u_int8_t *buf;
buf = p;
for (; len > 3 ; len -= 4) {
val = *((u_int32_t *)buf);
rndpool_add_one_word(rp, val);
buf += 4;
}
if (len != 0) {
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
val = 0;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
switch (len) {
case 3:
val = *buf++;
case 2:
val = val << 8 | *buf++;
case 1:
val = val << 8 | *buf++;
}
rndpool_add_one_word(rp, val);
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
rp->stats.curentropy += entropy;
rp->stats.added += entropy;
if (rp->stats.curentropy > RND_POOLBITS) {
rp->stats.discarded += (rp->stats.curentropy - RND_POOLBITS);
rp->stats.curentropy = RND_POOLBITS;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
}
/*
* Extract some number of bytes from the random pool, decreasing the
* estimate of randomness as each byte is extracted.
*
* Do this by stiring the pool and returning a part of hash as randomness.
* Note that no secrets are given away here since parts of the hash are
* xored together before returned.
*
* Honor the request from the caller to only return good data, any data,
* etc. Note that we must have at least 64 bits of entropy in the pool
* before we return anything in the high-quality modes.
*/
int
rndpool_extract_data(rp, p, len, mode)
rndpool_t *rp;
void *p;
u_int32_t len;
u_int32_t mode;
{
u_int i;
Move RND_ENTROPY_THRESHOLD to sys/rnd.h. Use sha1 rather than md5, and release the first 96 bits of the hash directly rather than by folding. The full 160 bit hash is mixed back into the entropy pool. This keeps 64 bits secret to stir the pool with.
1998-05-27 04:59:14 +04:00
SHA1_CTX hash;
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
u_char digest[20]; /* XXX SHA knowledge */
u_int32_t remain, deltae, count;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
u_int8_t *buf;
int good;
buf = p;
remain = len;
if (mode == RND_EXTRACT_ANY)
good = 1;
else
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
good = (rp->stats.curentropy >= (8 * RND_ENTROPY_THRESHOLD));
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
assert(RND_ENTROPY_THRESHOLD*2 <= 20); /* XXX SHA knowledge */
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
while (good && (remain != 0)) {
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
/*
* While bytes are requested, compute the hash of the pool,
* and then "fold" the hash in half with XOR, keeping the
* exact hash value secret, as it will be stirred back into
* the pool.
*
* XXX this approach needs examination by competant
* cryptographers! It's rather expensive per bit but
* also involves every bit of the pool in the
* computation of every output bit..
*/
Move RND_ENTROPY_THRESHOLD to sys/rnd.h. Use sha1 rather than md5, and release the first 96 bits of the hash directly rather than by folding. The full 160 bit hash is mixed back into the entropy pool. This keeps 64 bits secret to stir the pool with.
1998-05-27 04:59:14 +04:00
SHA1Init(&hash);
SHA1Update(&hash, (u_int8_t *)rp->pool, RND_POOLWORDS * 4);
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
SHA1Final(digest, &hash);
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
/*
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
* Stir the hash back into the pool. This guarantees
* that the next hash will generate a different value
* if no new values were added to the pool.
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
*/
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
for (i = 0 ; i < 5 ; i++) {
u_int32_t word;
memcpy(&word, &digest[i*4], 4);
rndpool_add_one_word(rp, word);
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
count = min(remain, RND_ENTROPY_THRESHOLD);
for (i=0; i<count; i++)
buf[i] = digest[i] ^ digest[i+RND_ENTROPY_THRESHOLD];
buf += count;
deltae = count * 8;
remain -= count;
deltae = min(deltae, rp->stats.curentropy);
rp->stats.removed += deltae;
rp->stats.curentropy -= deltae;
if (rp->stats.curentropy == 0)
rp->stats.generated += (count * 8) - deltae;
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
if (mode == RND_EXTRACT_GOOD)
/dev/random code cleanups: - Add comments about which spls apply to which data structures. - Consistently protect the rnd_samples queue (the queue of unprocessed samples) at splhigh(). - allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for an optional higher-resolution clock/roulette wheel source. - Collect more statistics on the pool state (keeping track of where collected bits are going, in addition to where they came from). - Add RNDGETPOOLSTAT ioctl to get the additional stats. - Flush a few unused rndpool calls. - XXX XXX Cryptographic changes: - 32-bit rotate is: ((val << rp->rotate) | (val >> (32 - rp->rotate))), not (val << rp->rotate) | (val >> rp->rotate) or ((val << rp->rotate) | (val >> (31 - rp->rotate))) - Avoid overloading of rp->rotate and double-rotation of data (which limited pool mixing somewhat; "rotate" never got above 7). - Be more paranoid (but probably not paranoid enough) about mixing output back into the pool. This is an improvement, but it needs revisiting soon. We should follow the spirit of some of the recommendations in the Schneier PRNG papers: http://www.counterpane.com/yarrow-notes.html http://www.counterpane.com/pseudorandom_number.html including: - two (or more) stage operation for better isolation between inputs and outputs. - use of keyed one-way functions (probably better even than invertible keyed functions like 3DES) at key points in the data flow, so that breaking the PRNG is clearly as hard as breaking the function.
2000-06-06 03:42:34 +04:00
good = (rp->stats.curentropy >=
(8 * RND_ENTROPY_THRESHOLD));
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
}
Move RND_ENTROPY_THRESHOLD to sys/rnd.h. Use sha1 rather than md5, and release the first 96 bits of the hash directly rather than by folding. The full 160 bit hash is mixed back into the entropy pool. This keeps 64 bits secret to stir the pool with.
1998-05-27 04:59:14 +04:00
bzero(&hash, sizeof(hash));
Addition of /dev/random and in-kernel random value generation. Over the next few days (thank goodness for long weekends) I'll be hunting down device drivers and adding hooks to gather entropy from many devices, and adding the conf.c changes to the various port's device structs to define major numbers for /dev/random and /dev/urandom.
1997-10-10 03:13:12 +04:00
bzero(digest, sizeof(digest));
return (len - remain);
}