1997-10-15 18:16:17 +04:00
|
|
|
.\" $NetBSD: rnd.4,v 1.2 1997/10/15 14:16:17 is Exp $
|
1997-10-15 11:00:20 +04:00
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 1997 Michael Graff
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
|
|
.\" derived from this software without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
|
|
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
|
|
.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
|
|
.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.Dd October 12, 1997
|
|
|
|
.Dt RND 4
|
|
|
|
.Os NetBSD
|
|
|
|
.Sh NAME
|
|
|
|
.Nm rnd
|
|
|
|
.Nd in kernel entropy collection and random number generation
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Cd pseudo-device rnd
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
pseudo-device uses event timing information collected from many
|
|
|
|
devices, and mixes this into an entropy pool. This pool is stirred
|
|
|
|
with a cryptographically strong hash function when data is extracted
|
|
|
|
from the pool.
|
|
|
|
.Sh INTERNAL ENTROPY POOL MANAGEMENT
|
|
|
|
When a hardware event occurs (such as completion of a hard drive
|
|
|
|
transfer or an interrupt from a network device) a timestamp is
|
|
|
|
generated. This timestamp is compared to the previous timestamp
|
|
|
|
recorded for the device, and the first, second, and third order
|
|
|
|
differentials are calculated.
|
|
|
|
.Pp
|
|
|
|
If any of these differentials is zero, no entropy is assumed to
|
|
|
|
have been gathered. If all are non-zero, one bit is assumed.
|
|
|
|
Next, data is mixed into the entropy pool using an LFSR (linear
|
|
|
|
feedback shift register).
|
|
|
|
.Pp
|
|
|
|
To extract data from the entropy pool, a cryptographically strong hash
|
|
|
|
function is used. The output of this hash is mixed back into the pool
|
|
|
|
using the LFSR, and then folded in half before being returned to the
|
|
|
|
caller.
|
|
|
|
.Pp
|
|
|
|
Mixing the actual hash into the pool causes the next extraction to
|
|
|
|
return a different value, even if no timing events were added to the
|
|
|
|
pool. Folding the data in half prevents the caller to derive the
|
|
|
|
actual hash of the pool, preventing some attacks.
|
|
|
|
.Sh USER ACCESS
|
|
|
|
User code can obtain random values from the kernel in two ways.
|
|
|
|
.Pp
|
|
|
|
Reading from
|
|
|
|
.Pa /dev/random
|
|
|
|
will only return values while sufficient entropy exists in the
|
|
|
|
internal pool. When sufficent entropy does not exist, EAGAIN is
|
|
|
|
returned for non-blocking reads, or the read will block for blocking
|
|
|
|
reads.
|
|
|
|
.Pp
|
|
|
|
Reading from
|
|
|
|
.Pa /dev/urandom
|
|
|
|
will return as many values as requested, even when the entropy pool is
|
|
|
|
empty. This data is not as good as reading from
|
|
|
|
.Pa /dev/random
|
|
|
|
since when the pool is empty, data is still returned, degenerating to a
|
|
|
|
pseudo-random generator.
|
|
|
|
.Pp
|
|
|
|
Writing to either device will mix the data written into the pool using
|
|
|
|
the LFSR as above, without modifying the entropy estimation for the
|
|
|
|
pool.
|
|
|
|
.Sh RANDOM SOURCE STRUCTURE
|
|
|
|
Each source has a state structure which the kernel uses to hold the
|
|
|
|
timing information and other state for that source.
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
typedef struct {
|
|
|
|
char name[16];
|
|
|
|
u_int32_t last_time;
|
|
|
|
u_int32_t last_delta;
|
|
|
|
u_int32_t last_delta2;
|
|
|
|
u_int32_t total;
|
|
|
|
u_int32_t tyfl;
|
|
|
|
} rndsource_t;
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
This structure holds the internal representation of a device's timing
|
|
|
|
state. The
|
|
|
|
.Va name
|
|
|
|
field holes the device name, as known to the kernel. The
|
|
|
|
.Va last_time
|
|
|
|
entry is the timestamp of the last time this device generated an
|
|
|
|
event. It is for internal use only, and not in any specific
|
|
|
|
representation. The
|
|
|
|
.Va last_delta
|
|
|
|
and
|
|
|
|
.Va last_delta2
|
|
|
|
fields hold the last first- and second-order deltas. The
|
|
|
|
.Va total
|
|
|
|
field holds a count of how many bits this device has potentially
|
|
|
|
generated. This is not the same as how many bits were used from it.
|
|
|
|
The
|
|
|
|
.Va tyfl
|
|
|
|
field holds the device flags as well as the device type. The lower
|
|
|
|
eight bits hold the device type, and the upper 24 bits are flags
|
|
|
|
represented as a bitfield.
|
|
|
|
.Pp
|
|
|
|
.Bl -tag -width RND_TYPE_DISK
|
|
|
|
Currently, these types are defined:
|
|
|
|
.It Dv RND_TYPE_DISK
|
|
|
|
The device is a physical hard drive.
|
|
|
|
.It Dv RND_TYPE_NET
|
|
|
|
The device is a network interface. By default, timing information is
|
|
|
|
collected from this source type, but entropy is not estimated.
|
|
|
|
.It Dv RND_TYPE_TAPE
|
|
|
|
The device is a tape device.
|
|
|
|
.It Dv RND_TYPE_TTY
|
|
|
|
The device is a terminal, mouse, or other user input device.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
A device can have these flags set:
|
|
|
|
.Bl -tag -width RND_FLAG_NO_ESTIMATE
|
|
|
|
.It Dv RND_FLAG_NO_ESTIMATE
|
|
|
|
Do not assume any entropy is in the timing information.
|
|
|
|
.It Dv RND_FLAG_NO_COLLECT
|
|
|
|
Do not even add timing information to the pool.
|
|
|
|
.El
|
|
|
|
.Sh IOCTL
|
|
|
|
Various
|
|
|
|
.Xr ioctl 2
|
|
|
|
functions are available to control device behavior, gather statistics,
|
|
|
|
and add data to the entropy pool. These are all defined in the
|
|
|
|
.Aq Pa sys/rnd.h
|
|
|
|
file, along with the data types and constants.
|
|
|
|
.Pp
|
|
|
|
.Bl -tag -width RNDADDTOENTCNT
|
|
|
|
.It Dv RNDGETENTCNT
|
|
|
|
.Pq Li "u_int32_t"
|
|
|
|
Return the current entropy count (in bits).
|
|
|
|
.It Dv RNDSETENTCNT
|
|
|
|
.Pq Li "u_int32_t"
|
|
|
|
Sets the internal entropy count (in bits) to the value given. This
|
|
|
|
should be used with caution, as artifically increasing the entropy
|
|
|
|
count may lead to weakened security.
|
|
|
|
.It Dv RNDADDTOENTCNT
|
|
|
|
.Pq Li "u_int32_t"
|
|
|
|
Increase the entropy count (in bits) by the given amount. This should
|
|
|
|
be used with caution, as artifically increasing the entropy count may
|
|
|
|
lead to weakened security.
|
|
|
|
.It Dv RNDGETPOOL
|
|
|
|
.Pq Li "u_char *"
|
|
|
|
Return the actual contents of the entropy pool. The area pointed to
|
|
|
|
in this call should be
|
|
|
|
.Va "RND_POOLWORDS * 4"
|
|
|
|
bytes long. As this is the actual contents of the entropy pool and
|
|
|
|
not hashes of it, it is extremely important to handle this data with
|
|
|
|
care. Leaking any part of this pool would allow an attacker to
|
|
|
|
predict future random values.
|
|
|
|
.It Dv RNDGETSRCNUM
|
|
|
|
.Pq Li "rndstat_t"
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
typedef struct {
|
|
|
|
u_int32_t start;
|
|
|
|
u_int32_t count;
|
|
|
|
rndsource_t source[RND_MAXSTATCOUNT];
|
|
|
|
} rndstat_t;
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Return data for sources, starting at
|
|
|
|
.Va start
|
|
|
|
and returning at most
|
|
|
|
.Va count
|
|
|
|
sources.
|
|
|
|
.Pp
|
|
|
|
The values returned are actual in-kernel snapshots of the entropy
|
|
|
|
status for devices. Leaking the internal timing information will
|
|
|
|
weaken security.
|
|
|
|
.It Dv RNDGETSRCNAME
|
|
|
|
.Pq Li "rndstat_name_t"
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
typedef struct {
|
|
|
|
char name[16];
|
|
|
|
rndsource_t source;
|
|
|
|
} rndstat_name_t;
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Return the device state for a named device.
|
|
|
|
.It Dv RNDCTL
|
|
|
|
.Pq Li "rndctl_t"
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
typedef struct {
|
|
|
|
char name[16];
|
|
|
|
u_int32_t type;
|
|
|
|
u_int32_t flags;
|
|
|
|
u_int32_t mask;
|
|
|
|
} rndctl_t;
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Change bits in the device state information. If
|
|
|
|
.Va type
|
|
|
|
is 0xff, only the device name stored in
|
|
|
|
.Va name
|
|
|
|
is used. If it is any other value, all devices of type
|
|
|
|
.Va type
|
|
|
|
are altered. This allows all network interfaces to be disabled for
|
1997-10-15 18:16:17 +04:00
|
|
|
entropy collection with one call, for example.
|
1997-10-15 11:00:20 +04:00
|
|
|
The
|
|
|
|
.Va flags
|
|
|
|
and
|
|
|
|
.Va mask
|
|
|
|
work together to change flag bits. The
|
|
|
|
.Va mask
|
|
|
|
field specifies which bits in
|
|
|
|
.Va flags
|
|
|
|
are to be set or cleared.
|
|
|
|
.It Dv RNDADDDATA
|
|
|
|
.Pq Li "rnddata_t"
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
typedef struct {
|
|
|
|
u_int32_t len;
|
|
|
|
u_int32_t entropy;
|
|
|
|
u_char data[RND_POOLWORDS * 4];
|
|
|
|
} rnddata_t;
|
|
|
|
.Ed
|
|
|
|
.El
|
|
|
|
.Sh FILES
|
|
|
|
.Bl -tag -width /dev/urandomx -compact
|
|
|
|
.It Pa /dev/random
|
|
|
|
Returns ``good'' values only
|
|
|
|
.It Pa /dev/urandom
|
|
|
|
Always returns data, degenerates to a pseudo-random generator
|
|
|
|
.El
|
|
|
|
.Sh HISTORY
|
|
|
|
The random device was first made available in
|
|
|
|
.Nx 1.3 .
|
|
|
|
.Sh AUTHOR
|
|
|
|
This implementation was written by Michael Graff <explorer@flame.org>
|
|
|
|
using ideas and algorithms gathered from many sources, including
|
|
|
|
the driver written by Ted Ts'o.
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr rndctl 8 ,
|
|
|
|
.Xr rnd 9 .
|