First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/* $NetBSD: ffs_appleufs.c,v 1.12 2011/11/19 22:51:31 tls Exp $ */
|
2003-10-13 21:07:55 +04:00
|
|
|
|
2002-09-29 00:11:05 +04:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2002 Darrin B. Jewell
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
__KERNEL_RCSID(0, "$NetBSD: ffs_appleufs.c,v 1.12 2011/11/19 22:51:31 tls Exp $");
|
2002-09-29 00:11:05 +04:00
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/time.h>
|
|
|
|
|
#if defined(_KERNEL)
|
|
|
|
|
#include <sys/kernel.h>
|
|
|
|
|
#include <sys/systm.h>
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
#include <sys/cprng.h>
|
2002-09-29 00:11:05 +04:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <ufs/ufs/dinode.h>
|
|
|
|
|
#include <ufs/ufs/ufs_bswap.h>
|
|
|
|
|
#include <ufs/ffs/fs.h>
|
|
|
|
|
#include <ufs/ffs/ffs_extern.h>
|
|
|
|
|
|
|
|
|
|
#if !defined(_KERNEL) && !defined(STANDALONE)
|
|
|
|
|
#include <stddef.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
#define KASSERT(x) assert(x)
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* this is the same calculation as in_cksum
|
|
|
|
|
*/
|
|
|
|
|
u_int16_t
|
2005-07-15 09:01:16 +04:00
|
|
|
ffs_appleufs_cksum(const struct appleufslabel *appleufs)
|
2002-09-29 00:11:05 +04:00
|
|
|
{
|
|
|
|
|
const u_int16_t *p = (const u_int16_t *)appleufs;
|
2004-01-02 09:57:46 +03:00
|
|
|
int len = APPLEUFS_LABEL_SIZE; /* sizeof(struct appleufslabel) */
|
2002-09-29 00:11:05 +04:00
|
|
|
long res = 0;
|
|
|
|
|
while (len > 1) {
|
|
|
|
|
res += *p++;
|
|
|
|
|
len -= 2;
|
|
|
|
|
}
|
2004-01-02 09:57:46 +03:00
|
|
|
#if 0 /* APPLEUFS_LABEL_SIZE is guaranteed to be even */
|
2002-09-29 00:11:05 +04:00
|
|
|
if (len == 1)
|
2002-11-02 22:31:09 +03:00
|
|
|
res += htobe16(*(u_char *)p<<8);
|
2002-09-29 00:11:05 +04:00
|
|
|
#endif
|
|
|
|
|
res = (res >> 16) + (res & 0xffff);
|
|
|
|
|
res += (res >> 16);
|
|
|
|
|
return (~res);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* copies o to n, validating and byteswapping along the way
|
|
|
|
|
* returns 0 if ok, EINVAL if not valid
|
|
|
|
|
*/
|
|
|
|
|
int
|
2005-07-15 09:01:16 +04:00
|
|
|
ffs_appleufs_validate(const char *name, const struct appleufslabel *o,
|
|
|
|
|
struct appleufslabel *n)
|
2002-09-29 00:11:05 +04:00
|
|
|
{
|
|
|
|
|
struct appleufslabel tmp;
|
|
|
|
|
if (!n) n = &tmp;
|
|
|
|
|
|
2002-11-02 22:31:09 +03:00
|
|
|
if (o->ul_magic != be32toh(APPLEUFS_LABEL_MAGIC)) {
|
2002-09-29 00:11:05 +04:00
|
|
|
return EINVAL;
|
|
|
|
|
}
|
|
|
|
|
*n = *o;
|
|
|
|
|
n->ul_checksum = 0;
|
|
|
|
|
n->ul_checksum = ffs_appleufs_cksum(n);
|
|
|
|
|
if (n->ul_checksum != o->ul_checksum) {
|
|
|
|
|
#if defined(DIAGNOSTIC) || !defined(_KERNEL)
|
|
|
|
|
printf("%s: invalid APPLE UFS checksum. found 0x%x, expecting 0x%x",
|
|
|
|
|
name,o->ul_checksum,n->ul_checksum);
|
|
|
|
|
#endif
|
|
|
|
|
return EINVAL;
|
|
|
|
|
}
|
2002-11-02 22:31:09 +03:00
|
|
|
n->ul_magic = be32toh(o->ul_magic);
|
|
|
|
|
n->ul_version = be32toh(o->ul_version);
|
|
|
|
|
n->ul_time = be32toh(o->ul_time);
|
|
|
|
|
n->ul_namelen = be16toh(o->ul_namelen);
|
2002-09-29 00:11:05 +04:00
|
|
|
|
|
|
|
|
if (n->ul_namelen > APPLEUFS_MAX_LABEL_NAME) {
|
|
|
|
|
#if defined(DIAGNOSTIC) || !defined(_KERNEL)
|
|
|
|
|
printf("%s: APPLE UFS label name too long, truncated.\n",
|
|
|
|
|
name);
|
|
|
|
|
#endif
|
|
|
|
|
n->ul_namelen = APPLEUFS_MAX_LABEL_NAME;
|
|
|
|
|
}
|
2004-01-02 09:57:46 +03:00
|
|
|
/* if len is max, will set ul_unused1 */
|
2011-06-22 08:01:33 +04:00
|
|
|
n->ul_name[n->ul_namelen - 1] = '\0';
|
2004-01-02 09:57:46 +03:00
|
|
|
|
2002-09-29 00:11:05 +04:00
|
|
|
#ifdef DEBUG
|
2004-01-02 09:57:46 +03:00
|
|
|
printf("%s: found APPLE UFS label v%d: \"%s\"\n",
|
|
|
|
|
name,n->ul_version,n->ul_name);
|
2002-09-29 00:11:05 +04:00
|
|
|
#endif
|
2004-01-02 08:08:57 +03:00
|
|
|
n->ul_uuid = be64toh(o->ul_uuid);
|
2005-02-27 01:31:44 +03:00
|
|
|
|
2002-09-29 00:11:05 +04:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2005-07-15 09:01:16 +04:00
|
|
|
ffs_appleufs_set(struct appleufslabel *appleufs, const char *name, time_t t,
|
|
|
|
|
uint64_t uuid)
|
2002-09-29 00:11:05 +04:00
|
|
|
{
|
|
|
|
|
size_t namelen;
|
|
|
|
|
if (!name) name = "untitled";
|
|
|
|
|
if (t == ((time_t)-1)) {
|
|
|
|
|
#if defined(_KERNEL)
|
2006-06-11 13:26:04 +04:00
|
|
|
t = time_second;
|
2002-09-29 00:11:05 +04:00
|
|
|
#elif defined(STANDALONE)
|
|
|
|
|
t = 0;
|
|
|
|
|
#else
|
|
|
|
|
(void)time(&t);
|
2004-01-02 08:08:57 +03:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
if (uuid == 0) {
|
|
|
|
|
#if defined(_KERNEL) && !defined(STANDALONE)
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
uuid = cprng_fast64();
|
2002-09-29 00:11:05 +04:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
namelen = strlen(name);
|
|
|
|
|
if (namelen > APPLEUFS_MAX_LABEL_NAME)
|
|
|
|
|
namelen = APPLEUFS_MAX_LABEL_NAME;
|
2004-01-02 09:57:46 +03:00
|
|
|
memset(appleufs, 0, APPLEUFS_LABEL_SIZE);
|
2002-11-02 22:31:09 +03:00
|
|
|
appleufs->ul_magic = htobe32(APPLEUFS_LABEL_MAGIC);
|
|
|
|
|
appleufs->ul_version = htobe32(APPLEUFS_LABEL_VERSION);
|
|
|
|
|
appleufs->ul_time = htobe32((u_int32_t)t);
|
|
|
|
|
appleufs->ul_namelen = htobe16(namelen);
|
2002-09-29 00:11:05 +04:00
|
|
|
strncpy(appleufs->ul_name,name,namelen);
|
2004-01-02 08:08:57 +03:00
|
|
|
appleufs->ul_uuid = htobe64(uuid);
|
2002-09-29 00:11:05 +04:00
|
|
|
appleufs->ul_checksum = ffs_appleufs_cksum(appleufs);
|
|
|
|
|
}
|