First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/* $NetBSD: ip_id.c,v 1.15 2011/11/19 22:51:25 tls Exp $ */
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2010-11-05 01:00:51 +03:00
|
|
|
/*-
|
|
|
|
|
* Copyright (c) 2008 The NetBSD Foundation, Inc.
|
2003-09-06 07:36:30 +04:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
2010-11-05 01:00:51 +03:00
|
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
|
|
|
|
* by the 3am Software Foundry ("3am"). It was developed by Matt Thomas.
|
2003-09-06 07:36:30 +04:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
2010-11-05 01:00:51 +03:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
|
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
|
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
2003-09-06 07:36:30 +04:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
__KERNEL_RCSID(0, "$NetBSD: ip_id.c,v 1.15 2011/11/19 22:51:25 tls Exp $");
|
2003-09-06 07:36:30 +04:00
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
2010-11-05 04:35:57 +03:00
|
|
|
#include <sys/kmem.h>
|
|
|
|
|
#include <sys/mutex.h>
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
#include <sys/cprng.h>
|
2003-09-06 07:36:30 +04:00
|
|
|
|
|
|
|
|
#include <net/if.h>
|
|
|
|
|
#include <netinet/in.h>
|
2008-02-06 06:20:50 +03:00
|
|
|
#include <netinet/in_var.h>
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2010-11-05 04:35:57 +03:00
|
|
|
#include <lib/libkern/libkern.h>
|
|
|
|
|
|
2008-02-06 06:20:50 +03:00
|
|
|
#define IPID_MAXID 65535
|
|
|
|
|
#define IPID_NUMIDS 32768
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2010-11-05 04:35:57 +03:00
|
|
|
struct ipid_state {
|
|
|
|
|
kmutex_t ids_lock;
|
|
|
|
|
uint16_t ids_start_slot;
|
|
|
|
|
uint16_t ids_slots[IPID_MAXID];
|
|
|
|
|
};
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2008-02-06 06:20:50 +03:00
|
|
|
static inline uint32_t
|
|
|
|
|
ipid_random(void)
|
|
|
|
|
{
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
return cprng_fast32();
|
2003-09-06 07:36:30 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2008-02-06 06:20:50 +03:00
|
|
|
* Initalizes the
|
2003-09-06 07:36:30 +04:00
|
|
|
* the msb flag. The msb flag is used to generate two distinct
|
|
|
|
|
* cycles of random numbers and thus avoiding reuse of ids.
|
|
|
|
|
*
|
|
|
|
|
* This function is called from id_randomid() when needed, an
|
|
|
|
|
* application does not have to worry about it.
|
|
|
|
|
*/
|
2010-11-05 04:35:57 +03:00
|
|
|
ipid_state_t *
|
|
|
|
|
ip_id_init(void)
|
2003-09-06 07:36:30 +04:00
|
|
|
{
|
2010-11-05 04:35:57 +03:00
|
|
|
ipid_state_t *ids;
|
2008-02-06 06:20:50 +03:00
|
|
|
size_t i;
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2010-11-05 04:35:57 +03:00
|
|
|
ids = kmem_alloc(sizeof(ipid_state_t), KM_SLEEP);
|
|
|
|
|
mutex_init(&ids->ids_lock, MUTEX_DEFAULT, IPL_SOFTNET);
|
|
|
|
|
|
|
|
|
|
ids->ids_start_slot = ipid_random();
|
|
|
|
|
for (i = 0; i < __arraycount(ids->ids_slots); i++) {
|
|
|
|
|
ids->ids_slots[i] = i;
|
|
|
|
|
}
|
2003-09-06 07:36:30 +04:00
|
|
|
|
|
|
|
|
/*
|
2008-02-06 06:20:50 +03:00
|
|
|
* Shuffle the array.
|
2003-09-06 07:36:30 +04:00
|
|
|
*/
|
2010-11-05 04:35:57 +03:00
|
|
|
for (i = __arraycount(ids->ids_slots); --i > 0;) {
|
2008-02-06 06:20:50 +03:00
|
|
|
size_t k = ipid_random() % (i + 1);
|
2010-11-05 04:35:57 +03:00
|
|
|
uint16_t t = ids->ids_slots[i];
|
|
|
|
|
ids->ids_slots[i] = ids->ids_slots[k];
|
|
|
|
|
ids->ids_slots[k] = t;
|
2003-09-06 07:36:30 +04:00
|
|
|
}
|
2010-11-05 04:35:57 +03:00
|
|
|
return ids;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
ip_id_fini(ipid_state_t *ids)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
mutex_destroy(&ids->ids_lock);
|
|
|
|
|
kmem_free(ids, sizeof(ipid_state_t));
|
2003-09-06 07:36:30 +04:00
|
|
|
}
|
|
|
|
|
|
2008-02-06 06:20:50 +03:00
|
|
|
uint16_t
|
2010-11-05 04:35:57 +03:00
|
|
|
ip_randomid(ipid_state_t *ids, uint16_t salt)
|
2003-09-06 07:36:30 +04:00
|
|
|
{
|
2008-02-06 06:20:50 +03:00
|
|
|
uint32_t r, k, id;
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2010-11-05 04:35:57 +03:00
|
|
|
/* A random number. */
|
2008-02-06 06:20:50 +03:00
|
|
|
r = ipid_random();
|
2003-09-06 07:36:30 +04:00
|
|
|
|
2008-02-06 06:20:50 +03:00
|
|
|
/*
|
|
|
|
|
* We do a modified Fisher-Yates shuffle but only one position at a
|
|
|
|
|
* time. Instead of the last entry, we swap with the first entry and
|
|
|
|
|
* then advance the start of the window by 1. The next time that
|
|
|
|
|
* swapped-out entry can be used is at least 32768 iterations in the
|
|
|
|
|
* future.
|
2010-11-05 04:35:57 +03:00
|
|
|
*
|
2008-02-06 06:20:50 +03:00
|
|
|
* The easiest way to visual this is to imagine a card deck with 52
|
|
|
|
|
* cards. First thing we do is split that into two sets, each with
|
|
|
|
|
* half of the cards; call them deck A and deck B. Pick a card
|
|
|
|
|
* randomly from deck A and remember it, then place it at the
|
|
|
|
|
* bottom of deck B. Then take the top card from deck B and add it
|
|
|
|
|
* to deck A. Pick another card randomly from deck A and ...
|
|
|
|
|
*/
|
2010-11-05 04:35:57 +03:00
|
|
|
mutex_enter(&ids->ids_lock);
|
|
|
|
|
k = (r & (IPID_NUMIDS - 1)) + ids->ids_start_slot;
|
|
|
|
|
if (k >= IPID_MAXID) {
|
2008-02-06 06:20:50 +03:00
|
|
|
k -= IPID_MAXID;
|
|
|
|
|
}
|
2010-11-05 04:35:57 +03:00
|
|
|
id = ids->ids_slots[k];
|
|
|
|
|
if (k != ids->ids_start_slot) {
|
|
|
|
|
ids->ids_slots[k] = ids->ids_slots[ids->ids_start_slot];
|
|
|
|
|
ids->ids_slots[ids->ids_start_slot] = id;
|
|
|
|
|
}
|
|
|
|
|
if (++ids->ids_start_slot == IPID_MAXID) {
|
|
|
|
|
ids->ids_start_slot = 0;
|
|
|
|
|
}
|
|
|
|
|
mutex_exit(&ids->ids_lock);
|
|
|
|
|
|
2008-02-06 06:20:50 +03:00
|
|
|
/*
|
|
|
|
|
* Add an optional salt to the id to further obscure it.
|
|
|
|
|
*/
|
|
|
|
|
id += salt;
|
2010-11-05 04:35:57 +03:00
|
|
|
if (id >= IPID_MAXID) {
|
2008-02-06 06:20:50 +03:00
|
|
|
id -= IPID_MAXID;
|
2010-11-05 04:35:57 +03:00
|
|
|
}
|
|
|
|
|
return (uint16_t)htons(id + 1);
|
2003-09-06 07:36:30 +04:00
|
|
|
}
|