2018-07-03 21:09:28 +03:00
|
|
|
/* $NetBSD: kern_rndq.c,v 1.90 2018/07/03 18:09:28 jdolecek Exp $ */
|
1997-10-10 03:13:12 +04:00
|
|
|
|
|
|
|
/*-
|
2013-01-26 23:05:11 +04:00
|
|
|
* Copyright (c) 1997-2013 The NetBSD Foundation, Inc.
|
1997-10-10 03:13:12 +04:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* by Michael Graff <explorer@flame.org> and Thor Lancelot Simon.
|
|
|
|
* This code uses ideas and algorithms from the Linux driver written by
|
|
|
|
* Ted Ts'o.
|
1997-10-10 03:13:12 +04:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2001-11-13 08:32:49 +03:00
|
|
|
#include <sys/cdefs.h>
|
2018-07-03 21:09:28 +03:00
|
|
|
__KERNEL_RCSID(0, "$NetBSD: kern_rndq.c,v 1.90 2018/07/03 18:09:28 jdolecek Exp $");
|
2001-11-13 08:32:49 +03:00
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
#include <sys/param.h>
|
2015-04-21 06:46:46 +03:00
|
|
|
#include <sys/atomic.h>
|
2015-04-21 06:24:07 +03:00
|
|
|
#include <sys/callout.h>
|
1997-10-10 03:13:12 +04:00
|
|
|
#include <sys/fcntl.h>
|
2015-04-21 06:24:07 +03:00
|
|
|
#include <sys/intr.h>
|
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <sys/kauth.h>
|
|
|
|
#include <sys/kernel.h>
|
2011-10-12 03:55:30 +04:00
|
|
|
#include <sys/kmem.h>
|
2008-08-16 14:19:21 +04:00
|
|
|
#include <sys/mutex.h>
|
2015-04-21 06:24:07 +03:00
|
|
|
#include <sys/pool.h>
|
1997-10-10 03:13:12 +04:00
|
|
|
#include <sys/proc.h>
|
|
|
|
#include <sys/rnd.h>
|
2015-04-14 01:43:41 +03:00
|
|
|
#include <sys/rndpool.h>
|
2013-06-23 06:35:23 +04:00
|
|
|
#include <sys/rndsink.h>
|
2015-04-14 01:43:41 +03:00
|
|
|
#include <sys/rndsource.h>
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
#include <sys/rngtest.h>
|
2015-04-21 06:24:07 +03:00
|
|
|
#include <sys/systm.h>
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2011-11-29 07:50:31 +04:00
|
|
|
#include <dev/rnd_private.h>
|
|
|
|
|
2015-04-14 15:51:30 +03:00
|
|
|
#ifdef COMPAT_50
|
|
|
|
#include <compat/sys/rnd.h>
|
|
|
|
#endif
|
|
|
|
|
2016-02-27 17:30:33 +03:00
|
|
|
#if defined(__HAVE_CPU_RNG) && !defined(_RUMPKERNEL)
|
2016-02-27 03:09:44 +03:00
|
|
|
#include <machine/cpu_rng.h>
|
|
|
|
#endif
|
|
|
|
|
2014-03-12 00:26:08 +04:00
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
2003-02-05 16:57:50 +03:00
|
|
|
#include <machine/cpu_counter.h>
|
2000-06-06 03:42:34 +04:00
|
|
|
#endif
|
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
#ifdef RND_DEBUG
|
2014-08-10 20:44:32 +04:00
|
|
|
#define DPRINTF(l,x) if (rnd_debug & (l)) rnd_printf x
|
2001-09-09 04:32:52 +04:00
|
|
|
int rnd_debug = 0;
|
1997-10-10 03:13:12 +04:00
|
|
|
#else
|
2001-09-09 04:32:52 +04:00
|
|
|
#define DPRINTF(l,x)
|
1997-10-10 03:13:12 +04:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* list devices attached
|
|
|
|
*/
|
2001-09-09 04:32:52 +04:00
|
|
|
#if 0
|
|
|
|
#define RND_VERBOSE
|
|
|
|
#endif
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2015-04-08 05:32:26 +03:00
|
|
|
#ifdef RND_VERBOSE
|
|
|
|
#define rnd_printf_verbose(fmt, ...) rnd_printf(fmt, ##__VA_ARGS__)
|
|
|
|
#else
|
|
|
|
#define rnd_printf_verbose(fmt, ...) ((void)0)
|
|
|
|
#endif
|
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
#ifdef RND_VERBOSE
|
|
|
|
static unsigned int deltacnt;
|
|
|
|
#endif
|
|
|
|
|
1999-02-28 20:18:42 +03:00
|
|
|
/*
|
|
|
|
* This is a little bit of state information attached to each device that we
|
|
|
|
* collect entropy from. This is simply a collection buffer, and when it
|
|
|
|
* is full it will be "detached" from the source and added to the entropy
|
|
|
|
* pool after entropy is distilled as much as possible.
|
|
|
|
*/
|
2001-09-09 04:32:52 +04:00
|
|
|
#define RND_SAMPLE_COUNT 64 /* collect N samples, then compress */
|
1999-02-28 20:18:42 +03:00
|
|
|
typedef struct _rnd_sample_t {
|
2001-09-09 04:32:52 +04:00
|
|
|
SIMPLEQ_ENTRY(_rnd_sample_t) next;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
krndsource_t *source;
|
1999-02-28 20:18:42 +03:00
|
|
|
int cursor;
|
|
|
|
int entropy;
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t ts[RND_SAMPLE_COUNT];
|
2015-04-14 15:28:12 +03:00
|
|
|
uint32_t values[RND_SAMPLE_COUNT];
|
1999-02-28 20:18:42 +03:00
|
|
|
} rnd_sample_t;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2015-04-08 05:52:25 +03:00
|
|
|
SIMPLEQ_HEAD(rnd_sampleq, _rnd_sample_t);
|
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
2015-04-08 05:49:03 +03:00
|
|
|
* The sample queue. Samples are put into the queue and processed in a
|
|
|
|
* softint in order to limit the latency of adding a sample.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2015-04-08 05:49:03 +03:00
|
|
|
static struct {
|
2015-04-08 05:52:25 +03:00
|
|
|
kmutex_t lock;
|
|
|
|
struct rnd_sampleq q;
|
2015-04-08 05:49:03 +03:00
|
|
|
} rnd_samples __cacheline_aligned;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
|
|
|
/*
|
2008-08-16 16:23:34 +04:00
|
|
|
* Memory pool for sample buffers
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2015-04-21 15:55:57 +03:00
|
|
|
static pool_cache_t rnd_mempc __read_mostly;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
|
|
|
/*
|
2015-04-14 16:23:25 +03:00
|
|
|
* Global entropy pool and sources.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
static struct {
|
|
|
|
kmutex_t lock;
|
|
|
|
rndpool_t pool;
|
|
|
|
LIST_HEAD(, krndsource) sources;
|
2015-04-21 06:53:07 +03:00
|
|
|
kcondvar_t cv;
|
2015-04-14 16:23:25 +03:00
|
|
|
} rnd_global __cacheline_aligned;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This source is used to easily "remove" queue entries when the source
|
|
|
|
* which actually generated the events is going away.
|
|
|
|
*/
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
static krndsource_t rnd_source_no_collect = {
|
|
|
|
/* LIST_ENTRY list */
|
|
|
|
.name = { 'N', 'o', 'C', 'o', 'l', 'l', 'e', 'c', 't',
|
|
|
|
0, 0, 0, 0, 0, 0, 0 },
|
2014-08-10 20:44:32 +04:00
|
|
|
.total = 0,
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
.type = RND_TYPE_UNKNOWN,
|
|
|
|
.flags = (RND_FLAG_NO_COLLECT |
|
2014-08-10 20:44:32 +04:00
|
|
|
RND_FLAG_NO_ESTIMATE),
|
|
|
|
.state = NULL,
|
|
|
|
.test_cnt = 0,
|
|
|
|
.test = NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
krndsource_t rnd_printf_source, rnd_autoconf_source;
|
|
|
|
|
2015-04-21 15:55:57 +03:00
|
|
|
static void *rnd_process __read_mostly;
|
|
|
|
static void *rnd_wakeup __read_mostly;
|
2000-03-23 10:01:25 +03:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
static inline uint32_t rnd_counter(void);
|
2013-06-13 04:55:01 +04:00
|
|
|
static void rnd_intr(void *);
|
|
|
|
static void rnd_wake(void *);
|
2013-08-27 23:30:10 +04:00
|
|
|
static void rnd_process_events(void);
|
2012-02-02 23:42:57 +04:00
|
|
|
static void rnd_add_data_ts(krndsource_t *, const void *const,
|
2016-02-17 03:43:42 +03:00
|
|
|
uint32_t, uint32_t, uint32_t, bool);
|
2013-08-29 03:40:43 +04:00
|
|
|
static inline void rnd_schedule_process(void);
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2011-12-18 00:05:38 +04:00
|
|
|
int rnd_ready = 0;
|
2012-09-05 22:57:33 +04:00
|
|
|
int rnd_initial_entropy = 0;
|
2015-04-13 18:23:00 +03:00
|
|
|
|
2016-02-17 04:09:49 +03:00
|
|
|
static volatile unsigned rnd_printing = 0;
|
2011-12-18 00:05:38 +04:00
|
|
|
|
|
|
|
#ifdef DIAGNOSTIC
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
static int rnd_tested = 0;
|
2011-12-18 00:05:38 +04:00
|
|
|
static rngtest_t rnd_rt;
|
|
|
|
static uint8_t rnd_testbits[sizeof(rnd_rt.rt_b)];
|
|
|
|
#endif
|
1999-04-01 23:07:40 +04:00
|
|
|
|
2015-04-14 16:12:33 +03:00
|
|
|
static rndsave_t *boot_rsp;
|
2012-02-02 23:42:57 +04:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
static inline void
|
|
|
|
rnd_printf(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
va_list ap;
|
|
|
|
|
2016-02-17 04:09:49 +03:00
|
|
|
if (atomic_cas_uint(&rnd_printing, 0, 1) != 0)
|
2014-08-10 20:44:32 +04:00
|
|
|
return;
|
|
|
|
va_start(ap, fmt);
|
|
|
|
vprintf(fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
rnd_printing = 0;
|
|
|
|
}
|
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
2015-04-14 14:59:40 +03:00
|
|
|
* Generate a 32-bit counter.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
static inline uint32_t
|
2001-09-09 04:32:52 +04:00
|
|
|
rnd_counter(void)
|
1997-10-19 15:43:05 +04:00
|
|
|
{
|
2015-04-14 15:25:41 +03:00
|
|
|
struct bintime bt;
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t ret;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2014-03-12 00:26:08 +04:00
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
2015-01-08 19:13:07 +03:00
|
|
|
if (cpu_hascounter())
|
|
|
|
return cpu_counter32();
|
2000-06-06 03:42:34 +04:00
|
|
|
#endif
|
2015-04-14 15:25:41 +03:00
|
|
|
if (!rnd_ready)
|
|
|
|
/* Too early to call nanotime. */
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
binuptime(&bt);
|
|
|
|
ret = bt.sec;
|
2015-04-21 15:07:31 +03:00
|
|
|
ret ^= bt.sec >> 32;
|
|
|
|
ret ^= bt.frac;
|
|
|
|
ret ^= bt.frac >> 32;
|
2015-04-14 15:25:41 +03:00
|
|
|
|
|
|
|
return ret;
|
1997-10-19 15:43:05 +04:00
|
|
|
}
|
|
|
|
|
2013-06-13 04:55:01 +04:00
|
|
|
/*
|
|
|
|
* We may be called from low IPL -- protect our softint.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
rnd_schedule_softint(void *softint)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2013-06-13 05:37:03 +04:00
|
|
|
kpreempt_disable();
|
2013-06-13 04:55:01 +04:00
|
|
|
softint_schedule(softint);
|
2013-06-13 05:37:03 +04:00
|
|
|
kpreempt_enable();
|
2013-06-13 04:55:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
rnd_schedule_process(void)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2013-06-13 04:55:01 +04:00
|
|
|
if (__predict_true(rnd_process)) {
|
|
|
|
rnd_schedule_softint(rnd_process);
|
|
|
|
return;
|
2015-08-05 19:51:09 +03:00
|
|
|
}
|
2013-08-27 23:30:10 +04:00
|
|
|
rnd_process_events();
|
2013-06-13 04:55:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
rnd_schedule_wakeup(void)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2013-06-13 04:55:01 +04:00
|
|
|
if (__predict_true(rnd_wakeup)) {
|
|
|
|
rnd_schedule_softint(rnd_wakeup);
|
|
|
|
return;
|
|
|
|
}
|
2015-04-14 17:16:34 +03:00
|
|
|
rndsinks_distribute();
|
2013-06-13 04:55:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Tell any sources with "feed me" callbacks that we are hungry.
|
|
|
|
*/
|
2013-06-23 06:35:23 +04:00
|
|
|
void
|
2013-06-13 04:55:01 +04:00
|
|
|
rnd_getmore(size_t byteswanted)
|
|
|
|
{
|
2015-04-21 06:53:07 +03:00
|
|
|
krndsource_t *rs, *next;
|
2013-06-13 04:55:01 +04:00
|
|
|
|
2016-05-21 18:27:15 +03:00
|
|
|
/*
|
|
|
|
* Due to buffering in rnd_process_events, even if the entropy
|
|
|
|
* sources provide the requested number of bytes, users may not
|
|
|
|
* be woken because the data may be stuck in unfilled buffers.
|
|
|
|
* So ask for enough data to fill all the buffers.
|
|
|
|
*
|
|
|
|
* XXX Just get rid of this buffering and solve the
|
|
|
|
* /dev/random-as-side-channel-for-keystroke-timings a
|
|
|
|
* different way.
|
|
|
|
*/
|
|
|
|
byteswanted = MAX(byteswanted,
|
|
|
|
MAX(RND_POOLBITS/NBBY, sizeof(uint32_t)*RND_SAMPLE_COUNT));
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-21 06:53:07 +03:00
|
|
|
LIST_FOREACH_SAFE(rs, &rnd_global.sources, list, next) {
|
2016-02-28 23:20:17 +03:00
|
|
|
/* Skip if the source is disabled. */
|
|
|
|
if (!RND_ENABLED(rs))
|
|
|
|
continue;
|
|
|
|
|
2015-04-21 06:53:07 +03:00
|
|
|
/* Skip if there's no callback. */
|
2015-04-08 05:35:33 +03:00
|
|
|
if (!ISSET(rs->flags, RND_FLAG_HASCB))
|
|
|
|
continue;
|
|
|
|
KASSERT(rs->get != NULL);
|
2015-04-21 06:53:07 +03:00
|
|
|
|
|
|
|
/* Skip if there are too many users right now. */
|
|
|
|
if (rs->refcnt == UINT_MAX)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hold a reference while we release rnd_global.lock to
|
|
|
|
* call the callback. The callback may in turn call
|
|
|
|
* rnd_add_data, which acquires rnd_global.lock.
|
|
|
|
*/
|
|
|
|
rs->refcnt++;
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-08 05:35:33 +03:00
|
|
|
rs->get(byteswanted, rs->getarg);
|
2015-04-21 06:53:07 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
if (--rs->refcnt == 0)
|
|
|
|
cv_broadcast(&rnd_global.cv);
|
|
|
|
|
|
|
|
/* Dribble some goo to the console. */
|
2015-04-08 05:35:33 +03:00
|
|
|
rnd_printf_verbose("rnd: entropy estimate %zu bits\n",
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_get_entropy_count(&rnd_global.pool));
|
2015-04-08 05:35:33 +03:00
|
|
|
rnd_printf_verbose("rnd: asking source %s for %zu bytes\n",
|
|
|
|
rs->name, byteswanted);
|
2015-04-08 05:32:26 +03:00
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2016-02-17 03:43:42 +03:00
|
|
|
|
|
|
|
/*
|
2016-02-17 22:44:40 +03:00
|
|
|
* Check whether we got entropy samples to process. In that
|
|
|
|
* case, we may need to distribute entropy to waiters. Do
|
|
|
|
* that, if we can do it asynchronously.
|
|
|
|
*
|
|
|
|
* - Conditionally because we don't want a softint loop.
|
|
|
|
* - Asynchronously because if we did it synchronously, we may
|
|
|
|
* end up with lock recursion on rndsinks_lock.
|
2016-02-17 03:43:42 +03:00
|
|
|
*/
|
2016-02-17 22:44:40 +03:00
|
|
|
if (!SIMPLEQ_EMPTY(&rnd_samples.q) && rnd_process != NULL)
|
2016-02-17 03:43:42 +03:00
|
|
|
rnd_schedule_process();
|
2013-06-13 04:55:01 +04:00
|
|
|
}
|
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
/*
|
2014-08-10 20:44:32 +04:00
|
|
|
* Use the timing/value of the event to estimate the entropy gathered.
|
1999-02-28 20:18:42 +03:00
|
|
|
* If all the differentials (first, second, and third) are non-zero, return
|
|
|
|
* non-zero. If any of these are zero, return zero.
|
1997-10-10 03:13:12 +04:00
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
static inline uint32_t
|
|
|
|
rnd_delta_estimate(rnd_delta_t *d, uint32_t v, int32_t delta)
|
1997-10-10 03:13:12 +04:00
|
|
|
{
|
2014-08-10 20:44:32 +04:00
|
|
|
int32_t delta2, delta3;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
d->insamples++;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
|
|
|
* Calculate the second and third order differentials
|
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
delta2 = d->dx - delta;
|
1997-10-10 03:13:12 +04:00
|
|
|
if (delta2 < 0)
|
|
|
|
delta2 = -delta2;
|
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
delta3 = d->d2x - delta2;
|
1997-10-10 03:13:12 +04:00
|
|
|
if (delta3 < 0)
|
|
|
|
delta3 = -delta3;
|
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
d->x = v;
|
|
|
|
d->dx = delta;
|
|
|
|
d->d2x = delta2;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
|
|
|
* If any delta is 0, we got no entropy. If all are non-zero, we
|
1999-02-28 20:18:42 +03:00
|
|
|
* might have something.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
1997-10-10 03:13:12 +04:00
|
|
|
if (delta == 0 || delta2 == 0 || delta3 == 0)
|
2015-08-05 19:51:09 +03:00
|
|
|
return 0;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
d->outbits++;
|
2015-08-05 19:51:09 +03:00
|
|
|
return 1;
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
/*
|
|
|
|
* Delta estimator for 32-bit timeestamps. Must handle wrap.
|
|
|
|
*/
|
|
|
|
static inline uint32_t
|
|
|
|
rnd_dt_estimate(krndsource_t *rs, uint32_t t)
|
|
|
|
{
|
|
|
|
int32_t delta;
|
|
|
|
uint32_t ret;
|
|
|
|
rnd_delta_t *d = &rs->time_delta;
|
|
|
|
|
|
|
|
if (t < d->x) {
|
|
|
|
delta = UINT32_MAX - d->x + t;
|
|
|
|
} else {
|
|
|
|
delta = d->x - t;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (delta < 0) {
|
|
|
|
delta = -delta;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = rnd_delta_estimate(d, t, delta);
|
|
|
|
|
|
|
|
KASSERT(d->x == t);
|
|
|
|
KASSERT(d->dx == delta);
|
|
|
|
#ifdef RND_VERBOSE
|
|
|
|
if (deltacnt++ % 1151 == 0) {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd_dt_estimate: %s x = %lld, dx = %lld, "
|
2014-08-10 20:44:32 +04:00
|
|
|
"d2x = %lld\n", rs->name,
|
|
|
|
(int)d->x, (int)d->dx, (int)d->d2x);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Delta estimator for 32 or bit values. "Wrap" isn't.
|
|
|
|
*/
|
|
|
|
static inline uint32_t
|
|
|
|
rnd_dv_estimate(krndsource_t *rs, uint32_t v)
|
|
|
|
{
|
|
|
|
int32_t delta;
|
|
|
|
uint32_t ret;
|
|
|
|
rnd_delta_t *d = &rs->value_delta;
|
|
|
|
|
|
|
|
delta = d->x - v;
|
|
|
|
|
|
|
|
if (delta < 0) {
|
|
|
|
delta = -delta;
|
|
|
|
}
|
|
|
|
ret = rnd_delta_estimate(d, v, (uint32_t)delta);
|
|
|
|
|
|
|
|
KASSERT(d->x == v);
|
|
|
|
KASSERT(d->dx == delta);
|
|
|
|
#ifdef RND_VERBOSE
|
|
|
|
if (deltacnt++ % 1151 == 0) {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd_dv_estimate: %s x = %lld, dx = %lld, "
|
2014-08-10 20:44:32 +04:00
|
|
|
" d2x = %lld\n", rs->name,
|
|
|
|
(long long int)d->x,
|
|
|
|
(long long int)d->dx,
|
|
|
|
(long long int)d->d2x);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2016-02-27 17:30:33 +03:00
|
|
|
#if defined(__HAVE_CPU_RNG) && !defined(_RUMPKERNEL)
|
2016-02-27 03:09:44 +03:00
|
|
|
static struct {
|
|
|
|
kmutex_t lock; /* unfortunately, must protect krndsource */
|
|
|
|
krndsource_t source;
|
|
|
|
} rnd_cpu __cacheline_aligned;
|
2016-02-28 23:36:08 +03:00
|
|
|
|
2016-02-27 03:09:44 +03:00
|
|
|
static void
|
|
|
|
rnd_cpu_get(size_t bytes, void *priv)
|
|
|
|
{
|
|
|
|
krndsource_t *cpusrcp = priv;
|
2016-02-28 23:36:08 +03:00
|
|
|
cpu_rng_t buf[2 * RND_ENTROPY_THRESHOLD / sizeof(cpu_rng_t)];
|
|
|
|
cpu_rng_t *bufp;
|
|
|
|
size_t cnt = __arraycount(buf);
|
|
|
|
size_t entropy = 0;
|
|
|
|
|
2016-02-27 03:09:44 +03:00
|
|
|
KASSERT(cpusrcp == &rnd_cpu.source);
|
|
|
|
|
2016-02-28 23:36:08 +03:00
|
|
|
for (bufp = buf; bufp < buf + cnt; bufp++) {
|
|
|
|
entropy += cpu_rng(bufp);
|
|
|
|
}
|
|
|
|
if (__predict_true(entropy)) {
|
|
|
|
mutex_spin_enter(&rnd_cpu.lock);
|
|
|
|
rnd_add_data_sync(cpusrcp, buf, sizeof(buf), entropy);
|
|
|
|
explicit_memset(buf, 0, sizeof(buf));
|
|
|
|
mutex_spin_exit(&rnd_cpu.lock);
|
|
|
|
}
|
2016-02-27 03:09:44 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2014-08-10 22:33:41 +04:00
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
2015-04-08 17:04:47 +03:00
|
|
|
static struct {
|
|
|
|
kmutex_t lock;
|
2016-01-01 19:09:00 +03:00
|
|
|
int iter;
|
2015-04-08 17:04:47 +03:00
|
|
|
struct callout callout;
|
2015-04-08 17:08:49 +03:00
|
|
|
krndsource_t source;
|
2015-04-08 17:04:47 +03:00
|
|
|
} rnd_skew __cacheline_aligned;
|
2014-10-26 21:22:32 +03:00
|
|
|
|
2015-04-08 17:04:47 +03:00
|
|
|
static void rnd_skew_intr(void *);
|
2014-10-26 21:22:32 +03:00
|
|
|
|
|
|
|
static void
|
|
|
|
rnd_skew_enable(krndsource_t *rs, bool enabled)
|
|
|
|
{
|
2015-04-08 17:04:47 +03:00
|
|
|
|
2014-10-26 21:22:32 +03:00
|
|
|
if (enabled) {
|
2015-04-08 17:04:47 +03:00
|
|
|
rnd_skew_intr(rs);
|
2014-10-26 21:22:32 +03:00
|
|
|
} else {
|
2015-04-08 17:04:47 +03:00
|
|
|
callout_stop(&rnd_skew.callout);
|
2014-10-26 21:22:32 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
rnd_skew_get(size_t bytes, void *priv)
|
|
|
|
{
|
2016-02-29 04:57:30 +03:00
|
|
|
krndsource_t *skewsrcp __diagused = priv;
|
2015-04-08 17:04:47 +03:00
|
|
|
|
2015-04-08 17:08:49 +03:00
|
|
|
KASSERT(skewsrcp == &rnd_skew.source);
|
2016-02-28 23:37:16 +03:00
|
|
|
|
|
|
|
/* Measure 100 times */
|
|
|
|
rnd_skew.iter = 100;
|
|
|
|
callout_schedule(&rnd_skew.callout, 1);
|
2014-10-26 21:22:32 +03:00
|
|
|
}
|
|
|
|
|
2012-02-02 23:42:57 +04:00
|
|
|
static void
|
2015-04-08 17:04:47 +03:00
|
|
|
rnd_skew_intr(void *arg)
|
2012-02-02 23:42:57 +04:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Even on systems with seemingly stable clocks, the
|
2014-08-10 20:44:32 +04:00
|
|
|
* delta-time entropy estimator seems to think we get 1 bit here
|
2014-10-26 21:22:32 +03:00
|
|
|
* about every 2 calls.
|
2014-08-10 20:44:32 +04:00
|
|
|
*
|
2012-02-02 23:42:57 +04:00
|
|
|
*/
|
2015-04-08 17:04:47 +03:00
|
|
|
mutex_spin_enter(&rnd_skew.lock);
|
2012-02-02 23:42:57 +04:00
|
|
|
|
2015-04-08 17:08:49 +03:00
|
|
|
if (RND_ENABLED(&rnd_skew.source)) {
|
2016-01-01 19:09:00 +03:00
|
|
|
int next_ticks = 1;
|
|
|
|
if (rnd_skew.iter & 1) {
|
2015-04-08 17:08:49 +03:00
|
|
|
rnd_add_uint32(&rnd_skew.source, rnd_counter());
|
2016-01-01 19:09:00 +03:00
|
|
|
next_ticks = hz / 10;
|
|
|
|
}
|
|
|
|
if (--rnd_skew.iter > 0) {
|
|
|
|
callout_schedule(&rnd_skew.callout, next_ticks);
|
2014-10-26 21:22:32 +03:00
|
|
|
}
|
2012-02-02 23:42:57 +04:00
|
|
|
}
|
2015-04-08 17:04:47 +03:00
|
|
|
mutex_spin_exit(&rnd_skew.lock);
|
2012-02-02 23:42:57 +04:00
|
|
|
}
|
2014-08-10 22:33:41 +04:00
|
|
|
#endif
|
2012-02-02 23:42:57 +04:00
|
|
|
|
2016-02-27 03:09:44 +03:00
|
|
|
void
|
|
|
|
rnd_init_softint(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
rnd_process = softint_establish(SOFTINT_SERIAL|SOFTINT_MPSAFE,
|
|
|
|
rnd_intr, NULL);
|
|
|
|
rnd_wakeup = softint_establish(SOFTINT_CLOCK|SOFTINT_MPSAFE,
|
|
|
|
rnd_wake, NULL);
|
|
|
|
rnd_schedule_process();
|
|
|
|
}
|
|
|
|
|
2015-04-14 17:11:51 +03:00
|
|
|
/*
|
|
|
|
* Entropy was just added to the pool. If we crossed the threshold for
|
|
|
|
* the first time, set rnd_initial_entropy = 1.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
rnd_entropy_added(void)
|
|
|
|
{
|
|
|
|
uint32_t pool_entropy;
|
|
|
|
|
|
|
|
KASSERT(mutex_owned(&rnd_global.lock));
|
|
|
|
|
|
|
|
if (__predict_true(rnd_initial_entropy))
|
|
|
|
return;
|
|
|
|
pool_entropy = rndpool_get_entropy_count(&rnd_global.pool);
|
|
|
|
if (pool_entropy > RND_ENTROPY_THRESHOLD * NBBY) {
|
|
|
|
rnd_printf_verbose("rnd: have initial entropy (%zu)\n",
|
|
|
|
pool_entropy);
|
|
|
|
rnd_initial_entropy = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2002-10-08 16:12:56 +04:00
|
|
|
/*
|
|
|
|
* initialize the global random pool for our use.
|
|
|
|
* rnd_init() must be called very early on in the boot process, so
|
|
|
|
* the pool is ready for other devices to attach as sources.
|
|
|
|
*/
|
1999-02-28 20:18:42 +03:00
|
|
|
void
|
|
|
|
rnd_init(void)
|
|
|
|
{
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t c;
|
1999-02-28 20:18:42 +03:00
|
|
|
|
|
|
|
if (rnd_ready)
|
|
|
|
return;
|
|
|
|
|
2005-02-27 03:26:58 +03:00
|
|
|
/*
|
2002-10-08 13:59:27 +04:00
|
|
|
* take a counter early, hoping that there's some variance in
|
2005-02-27 03:26:58 +03:00
|
|
|
* the following operations
|
2002-10-08 13:59:27 +04:00
|
|
|
*/
|
2002-10-07 06:38:41 +04:00
|
|
|
c = rnd_counter();
|
|
|
|
|
2015-04-14 16:26:58 +03:00
|
|
|
rndsinks_init();
|
|
|
|
|
|
|
|
/* Initialize the sample queue. */
|
|
|
|
mutex_init(&rnd_samples.lock, MUTEX_DEFAULT, IPL_VM);
|
2015-04-08 05:49:03 +03:00
|
|
|
SIMPLEQ_INIT(&rnd_samples.q);
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2015-04-14 16:26:58 +03:00
|
|
|
/* Initialize the global pool and sources list. */
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_init(&rnd_global.lock, MUTEX_DEFAULT, IPL_VM);
|
2015-04-14 16:26:58 +03:00
|
|
|
rndpool_init(&rnd_global.pool);
|
|
|
|
LIST_INIT(&rnd_global.sources);
|
2015-04-21 06:53:07 +03:00
|
|
|
cv_init(&rnd_global.cv, "rndsrc");
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2011-12-18 00:05:38 +04:00
|
|
|
rnd_mempc = pool_cache_init(sizeof(rnd_sample_t), 0, 0, 0,
|
|
|
|
"rndsample", NULL, IPL_VM,
|
|
|
|
NULL, NULL, NULL);
|
2013-01-16 10:45:24 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Set resource limit. The rnd_process_events() function
|
|
|
|
* is called every tick and process the sample queue.
|
|
|
|
* Without limitation, if a lot of rnd_add_*() are called,
|
|
|
|
* all kernel memory may be eaten up.
|
|
|
|
*/
|
|
|
|
pool_cache_sethardlimit(rnd_mempc, RND_POOLBITS, NULL, 0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Mix *something*, *anything* into the pool to help it get started.
|
2002-10-07 08:51:00 +04:00
|
|
|
* However, it's not safe for rnd_counter() to call microtime() yet,
|
|
|
|
* so on some platforms we might just end up with zeros anyway.
|
2002-10-07 06:38:41 +04:00
|
|
|
* XXX more things to add would be nice.
|
2005-02-27 03:26:58 +03:00
|
|
|
*/
|
2002-10-07 08:51:00 +04:00
|
|
|
if (c) {
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_add_data(&rnd_global.pool, &c, sizeof(c), 1);
|
2002-10-07 08:51:00 +04:00
|
|
|
c = rnd_counter();
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, &c, sizeof(c), 1);
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2002-10-07 08:51:00 +04:00
|
|
|
}
|
|
|
|
|
2016-02-27 03:09:44 +03:00
|
|
|
/*
|
|
|
|
* Attach CPU RNG if available.
|
|
|
|
*/
|
2016-02-27 17:30:33 +03:00
|
|
|
#if defined(__HAVE_CPU_RNG) && !defined(_RUMPKERNEL)
|
2016-02-27 03:09:44 +03:00
|
|
|
if (cpu_rng_init()) {
|
|
|
|
/* IPL_VM because taken while rnd_global.lock is held. */
|
|
|
|
mutex_init(&rnd_cpu.lock, MUTEX_DEFAULT, IPL_VM);
|
|
|
|
rndsource_setcb(&rnd_cpu.source, rnd_cpu_get, &rnd_cpu.source);
|
|
|
|
rnd_attach_source(&rnd_cpu.source, "cpurng",
|
|
|
|
RND_TYPE_RNG, RND_FLAG_COLLECT_VALUE|
|
|
|
|
RND_FLAG_HASCB|RND_FLAG_HASENABLE);
|
|
|
|
rnd_cpu_get(RND_ENTROPY_THRESHOLD, &rnd_cpu.source);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2012-02-02 23:42:57 +04:00
|
|
|
/*
|
|
|
|
* If we have a cycle counter, take its error with respect
|
|
|
|
* to the callout mechanism as a source of entropy, ala
|
|
|
|
* TrueRand.
|
|
|
|
*
|
|
|
|
*/
|
2014-03-12 00:26:08 +04:00
|
|
|
#if defined(__HAVE_CPU_COUNTER)
|
2015-04-14 16:23:25 +03:00
|
|
|
/* IPL_VM because taken while rnd_global.lock is held. */
|
2015-04-08 17:08:49 +03:00
|
|
|
mutex_init(&rnd_skew.lock, MUTEX_DEFAULT, IPL_VM);
|
2015-04-08 17:04:47 +03:00
|
|
|
callout_init(&rnd_skew.callout, CALLOUT_MPSAFE);
|
|
|
|
callout_setfunc(&rnd_skew.callout, rnd_skew_intr, NULL);
|
2015-04-08 17:08:49 +03:00
|
|
|
rndsource_setcb(&rnd_skew.source, rnd_skew_get, &rnd_skew.source);
|
|
|
|
rndsource_setenable(&rnd_skew.source, rnd_skew_enable);
|
|
|
|
rnd_attach_source(&rnd_skew.source, "callout", RND_TYPE_SKEW,
|
|
|
|
RND_FLAG_COLLECT_VALUE|RND_FLAG_ESTIMATE_VALUE|
|
|
|
|
RND_FLAG_HASCB|RND_FLAG_HASENABLE);
|
2016-01-01 19:09:00 +03:00
|
|
|
rnd_skew.iter = 100;
|
2015-04-08 17:04:47 +03:00
|
|
|
rnd_skew_intr(NULL);
|
2012-02-02 23:42:57 +04:00
|
|
|
#endif
|
|
|
|
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: initialised (%u)%s", RND_POOLBITS,
|
|
|
|
c ? " with counter\n" : "\n");
|
2011-11-28 11:56:53 +04:00
|
|
|
if (boot_rsp != NULL) {
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_add_data(&rnd_global.pool, boot_rsp->data,
|
2015-04-08 17:13:55 +03:00
|
|
|
sizeof(boot_rsp->data),
|
|
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
2015-04-14 17:11:51 +03:00
|
|
|
rnd_entropy_added();
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_printf("rnd: seeded with %d bits\n",
|
2015-04-08 05:32:26 +03:00
|
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
2016-01-11 17:55:52 +03:00
|
|
|
explicit_memset(boot_rsp, 0, sizeof(*boot_rsp));
|
2011-11-28 11:56:53 +04:00
|
|
|
}
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_attach_source(&rnd_printf_source, "printf", RND_TYPE_UNKNOWN,
|
|
|
|
RND_FLAG_NO_ESTIMATE);
|
|
|
|
rnd_attach_source(&rnd_autoconf_source, "autoconf",
|
|
|
|
RND_TYPE_UNKNOWN,
|
|
|
|
RND_FLAG_COLLECT_TIME|RND_FLAG_ESTIMATE_TIME);
|
|
|
|
rnd_ready = 1;
|
1999-02-28 20:18:42 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static rnd_sample_t *
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rnd_sample_allocate(krndsource_t *source)
|
1999-02-28 20:18:42 +03:00
|
|
|
{
|
|
|
|
rnd_sample_t *c;
|
|
|
|
|
2011-12-18 00:05:38 +04:00
|
|
|
c = pool_cache_get(rnd_mempc, PR_WAITOK);
|
1999-02-28 20:18:42 +03:00
|
|
|
if (c == NULL)
|
2015-08-05 19:51:09 +03:00
|
|
|
return NULL;
|
1999-02-28 20:18:42 +03:00
|
|
|
|
|
|
|
c->source = source;
|
|
|
|
c->cursor = 0;
|
|
|
|
c->entropy = 0;
|
|
|
|
|
2015-08-05 19:51:09 +03:00
|
|
|
return c;
|
1999-02-28 20:18:42 +03:00
|
|
|
}
|
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
/*
|
2001-09-09 04:32:52 +04:00
|
|
|
* Don't wait on allocation. To be used in an interrupt context.
|
1997-10-10 03:13:12 +04:00
|
|
|
*/
|
1999-02-28 20:18:42 +03:00
|
|
|
static rnd_sample_t *
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rnd_sample_allocate_isr(krndsource_t *source)
|
1997-10-10 03:13:12 +04:00
|
|
|
{
|
1999-02-28 20:18:42 +03:00
|
|
|
rnd_sample_t *c;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2011-12-18 00:05:38 +04:00
|
|
|
c = pool_cache_get(rnd_mempc, PR_NOWAIT);
|
1999-02-28 20:18:42 +03:00
|
|
|
if (c == NULL)
|
2015-08-05 19:51:09 +03:00
|
|
|
return NULL;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1999-02-28 20:18:42 +03:00
|
|
|
c->source = source;
|
|
|
|
c->cursor = 0;
|
|
|
|
c->entropy = 0;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2015-08-05 19:51:09 +03:00
|
|
|
return c;
|
1999-02-28 20:18:42 +03:00
|
|
|
}
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1999-02-28 20:18:42 +03:00
|
|
|
static void
|
|
|
|
rnd_sample_free(rnd_sample_t *c)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2016-01-11 17:55:52 +03:00
|
|
|
explicit_memset(c, 0, sizeof(*c));
|
2011-12-18 00:05:38 +04:00
|
|
|
pool_cache_put(rnd_mempc, c);
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2001-09-09 04:32:52 +04:00
|
|
|
* Add a source to our list of sources.
|
1997-10-10 03:13:12 +04:00
|
|
|
*/
|
|
|
|
void
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_attach_source(krndsource_t *rs, const char *name, uint32_t type,
|
|
|
|
uint32_t flags)
|
1997-10-10 03:13:12 +04:00
|
|
|
{
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t ts;
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2000-06-06 05:33:15 +04:00
|
|
|
ts = rnd_counter();
|
1999-02-28 20:18:42 +03:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
strlcpy(rs->name, name, sizeof(rs->name));
|
2014-08-10 20:44:32 +04:00
|
|
|
memset(&rs->time_delta, 0, sizeof(rs->time_delta));
|
|
|
|
rs->time_delta.x = ts;
|
|
|
|
memset(&rs->value_delta, 0, sizeof(rs->value_delta));
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rs->total = 0;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1997-10-10 20:35:00 +04:00
|
|
|
/*
|
2013-01-27 02:22:07 +04:00
|
|
|
* Some source setup, by type
|
1997-10-10 20:35:00 +04:00
|
|
|
*/
|
2013-01-27 02:22:07 +04:00
|
|
|
rs->test = NULL;
|
|
|
|
rs->test_cnt = -1;
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
if (flags == 0) {
|
|
|
|
flags = RND_FLAG_DEFAULT;
|
|
|
|
}
|
|
|
|
|
2013-01-27 02:22:07 +04:00
|
|
|
switch (type) {
|
2015-08-05 19:51:09 +03:00
|
|
|
case RND_TYPE_NET: /* Don't collect by default */
|
2013-01-27 02:22:07 +04:00
|
|
|
flags |= (RND_FLAG_NO_COLLECT | RND_FLAG_NO_ESTIMATE);
|
|
|
|
break;
|
2015-08-05 19:51:09 +03:00
|
|
|
case RND_TYPE_RNG: /* Space for statistical testing */
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rs->test = kmem_alloc(sizeof(rngtest_t), KM_NOSLEEP);
|
|
|
|
rs->test_cnt = 0;
|
2013-01-27 02:22:07 +04:00
|
|
|
/* FALLTHRU */
|
2015-08-05 19:51:09 +03:00
|
|
|
case RND_TYPE_VM: /* Process samples in bulk always */
|
2013-01-27 02:22:07 +04:00
|
|
|
flags |= RND_FLAG_FAST;
|
|
|
|
break;
|
2015-08-05 19:51:09 +03:00
|
|
|
default:
|
2013-01-27 02:22:07 +04:00
|
|
|
break;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
rs->type = type;
|
|
|
|
rs->flags = flags;
|
2015-04-21 06:53:07 +03:00
|
|
|
rs->refcnt = 1;
|
1997-10-10 20:35:00 +04:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rs->state = rnd_sample_allocate(rs);
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2018-07-03 21:09:28 +03:00
|
|
|
|
|
|
|
#ifdef DIAGNOSTIC
|
|
|
|
krndsource_t *s;
|
|
|
|
LIST_FOREACH(s, &rnd_global.sources, list) {
|
|
|
|
if (s == rs) {
|
|
|
|
panic("%s: source '%s' already attached",
|
|
|
|
__func__, name);
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
LIST_INSERT_HEAD(&rnd_global.sources, rs, list);
|
1997-10-10 03:13:12 +04:00
|
|
|
|
|
|
|
#ifdef RND_VERBOSE
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: %s attached as an entropy source (",
|
|
|
|
rs->name);
|
2002-10-07 13:41:51 +04:00
|
|
|
if (!(flags & RND_FLAG_NO_COLLECT)) {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("collecting");
|
2002-10-07 13:41:51 +04:00
|
|
|
if (flags & RND_FLAG_NO_ESTIMATE)
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose(" without estimation");
|
2015-08-05 19:51:09 +03:00
|
|
|
} else {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("off");
|
2015-08-05 19:51:09 +03:00
|
|
|
}
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose(")\n");
|
1997-10-10 03:13:12 +04:00
|
|
|
#endif
|
2002-10-07 13:41:51 +04:00
|
|
|
|
2005-02-27 03:26:58 +03:00
|
|
|
/*
|
2002-10-07 13:41:51 +04:00
|
|
|
* Again, put some more initial junk in the pool.
|
2014-08-10 20:44:32 +04:00
|
|
|
* FreeBSD claim to have an analysis that show 4 bits of
|
|
|
|
* entropy per source-attach timestamp. I am skeptical,
|
|
|
|
* but we count 1 bit per source here.
|
2002-10-07 13:41:51 +04:00
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, &ts, sizeof(ts), 1);
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
2001-09-09 04:32:52 +04:00
|
|
|
* Remove a source from our list of sources.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
|
|
|
void
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rnd_detach_source(krndsource_t *source)
|
1997-10-19 15:43:05 +04:00
|
|
|
{
|
2001-09-09 04:32:52 +04:00
|
|
|
rnd_sample_t *sample;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
LIST_REMOVE(source, list);
|
2015-04-21 06:53:07 +03:00
|
|
|
if (0 < --source->refcnt) {
|
|
|
|
do {
|
|
|
|
cv_wait(&rnd_global.cv, &rnd_global.lock);
|
|
|
|
} while (0 < source->refcnt);
|
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
1999-02-28 20:18:42 +03:00
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
1999-02-28 20:18:42 +03:00
|
|
|
* If there are samples queued up "remove" them from the sample queue
|
|
|
|
* by setting the source to the no-collect pseudosource.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_enter(&rnd_samples.lock);
|
|
|
|
sample = SIMPLEQ_FIRST(&rnd_samples.q);
|
1999-02-28 20:18:42 +03:00
|
|
|
while (sample != NULL) {
|
|
|
|
if (sample->source == source)
|
|
|
|
sample->source = &rnd_source_no_collect;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
1999-02-28 20:18:42 +03:00
|
|
|
sample = SIMPLEQ_NEXT(sample, next);
|
1997-10-19 15:43:05 +04:00
|
|
|
}
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_exit(&rnd_samples.lock);
|
2011-11-20 04:28:51 +04:00
|
|
|
|
2015-04-08 06:00:31 +03:00
|
|
|
if (source->state) {
|
|
|
|
rnd_sample_free(source->state);
|
|
|
|
source->state = NULL;
|
|
|
|
}
|
2011-11-20 04:28:51 +04:00
|
|
|
|
2015-04-08 06:00:31 +03:00
|
|
|
if (source->test) {
|
|
|
|
kmem_free(source->test, sizeof(rngtest_t));
|
2011-11-20 04:28:51 +04:00
|
|
|
}
|
|
|
|
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: %s detached as an entropy source\n",
|
|
|
|
source->name);
|
1997-10-19 15:43:05 +04:00
|
|
|
}
|
2001-09-09 04:32:52 +04:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
static inline uint32_t
|
|
|
|
rnd_estimate(krndsource_t *rs, uint32_t ts, uint32_t val)
|
|
|
|
{
|
|
|
|
uint32_t entropy = 0, dt_est, dv_est;
|
|
|
|
|
|
|
|
dt_est = rnd_dt_estimate(rs, ts);
|
|
|
|
dv_est = rnd_dv_estimate(rs, val);
|
|
|
|
|
|
|
|
if (!(rs->flags & RND_FLAG_NO_ESTIMATE)) {
|
|
|
|
if (rs->flags & RND_FLAG_ESTIMATE_TIME) {
|
|
|
|
entropy += dt_est;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (rs->flags & RND_FLAG_ESTIMATE_VALUE) {
|
|
|
|
entropy += dv_est;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
return entropy;
|
|
|
|
}
|
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
/*
|
2012-02-02 23:42:57 +04:00
|
|
|
* Add a 32-bit value to the entropy pool. The rs parameter should point to
|
|
|
|
* the source-specific source structure.
|
1997-10-10 03:13:12 +04:00
|
|
|
*/
|
|
|
|
void
|
2014-08-10 20:44:32 +04:00
|
|
|
_rnd_add_uint32(krndsource_t *rs, uint32_t val)
|
1997-10-10 03:13:12 +04:00
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
uint32_t ts;
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t entropy = 0;
|
2008-08-16 14:19:21 +04:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
if (rs->flags & RND_FLAG_NO_COLLECT)
|
1997-10-10 03:13:12 +04:00
|
|
|
return;
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2000-06-06 03:42:34 +04:00
|
|
|
/*
|
2000-06-06 05:33:15 +04:00
|
|
|
* Sample the counter as soon as possible to avoid
|
2000-06-06 03:42:34 +04:00
|
|
|
* entropy overestimation.
|
|
|
|
*/
|
2000-06-06 05:33:15 +04:00
|
|
|
ts = rnd_counter();
|
2000-06-06 03:42:34 +04:00
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
2014-08-10 20:44:32 +04:00
|
|
|
* Calculate estimates - we may not use them, but if we do
|
|
|
|
* not calculate them, the estimators' history becomes invalid.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
entropy = rnd_estimate(rs, ts, val);
|
2000-06-06 03:42:34 +04:00
|
|
|
|
2016-02-17 03:43:42 +03:00
|
|
|
rnd_add_data_ts(rs, &val, sizeof(val), entropy, ts, true);
|
2014-08-10 20:44:32 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
_rnd_add_uint64(krndsource_t *rs, uint64_t val)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
uint32_t ts;
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t entropy = 0;
|
|
|
|
|
|
|
|
if (rs->flags & RND_FLAG_NO_COLLECT)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Sample the counter as soon as possible to avoid
|
|
|
|
* entropy overestimation.
|
|
|
|
*/
|
|
|
|
ts = rnd_counter();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Calculate estimates - we may not use them, but if we do
|
|
|
|
* not calculate them, the estimators' history becomes invalid.
|
|
|
|
*/
|
|
|
|
entropy = rnd_estimate(rs, ts, (uint32_t)(val & (uint64_t)0xffffffff));
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
|
2016-02-17 03:43:42 +03:00
|
|
|
rnd_add_data_ts(rs, &val, sizeof(val), entropy, ts, true);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
1999-02-28 20:18:42 +03:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
void
|
2012-02-02 23:42:57 +04:00
|
|
|
rnd_add_data(krndsource_t *rs, const void *const data, uint32_t len,
|
|
|
|
uint32_t entropy)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2012-10-27 05:29:02 +04:00
|
|
|
/*
|
|
|
|
* This interface is meant for feeding data which is,
|
|
|
|
* itself, random. Don't estimate entropy based on
|
|
|
|
* timestamp, just directly add the data.
|
|
|
|
*/
|
2013-08-29 05:04:49 +04:00
|
|
|
if (__predict_false(rs == NULL)) {
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_add_data(&rnd_global.pool, data, len, entropy);
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2014-08-11 08:26:53 +04:00
|
|
|
} else {
|
2016-02-17 03:43:42 +03:00
|
|
|
rnd_add_data_ts(rs, data, len, entropy, rnd_counter(), true);
|
2013-08-29 05:04:49 +04:00
|
|
|
}
|
2012-02-02 23:42:57 +04:00
|
|
|
}
|
|
|
|
|
2016-02-17 03:43:42 +03:00
|
|
|
void
|
|
|
|
rnd_add_data_sync(krndsource_t *rs, const void *data, uint32_t len,
|
|
|
|
uint32_t entropy)
|
|
|
|
{
|
|
|
|
|
|
|
|
KASSERT(rs != NULL);
|
|
|
|
rnd_add_data_ts(rs, data, len, entropy, rnd_counter(), false);
|
|
|
|
}
|
|
|
|
|
2012-02-02 23:42:57 +04:00
|
|
|
static void
|
2015-04-14 15:28:12 +03:00
|
|
|
rnd_add_data_ts(krndsource_t *rs, const void *const data, uint32_t len,
|
2016-02-17 03:43:42 +03:00
|
|
|
uint32_t entropy, uint32_t ts, bool schedule)
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
{
|
|
|
|
rnd_sample_t *state = NULL;
|
2014-08-11 18:07:55 +04:00
|
|
|
const uint8_t *p = data;
|
|
|
|
uint32_t dint;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
int todo, done, filled = 0;
|
2013-01-26 23:05:11 +04:00
|
|
|
int sample_count;
|
2015-04-08 05:52:25 +03:00
|
|
|
struct rnd_sampleq tmp_samples = SIMPLEQ_HEAD_INITIALIZER(tmp_samples);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
|
2015-08-05 19:51:09 +03:00
|
|
|
if (rs &&
|
|
|
|
(rs->flags & RND_FLAG_NO_COLLECT ||
|
|
|
|
__predict_false(!(rs->flags &
|
|
|
|
(RND_FLAG_COLLECT_TIME|RND_FLAG_COLLECT_VALUE))))) {
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
return;
|
|
|
|
}
|
2014-08-11 18:07:55 +04:00
|
|
|
todo = len / sizeof(dint);
|
2013-01-26 23:05:11 +04:00
|
|
|
/*
|
|
|
|
* Let's try to be efficient: if we are warm, and a source
|
|
|
|
* is adding entropy at a rate of at least 1 bit every 10 seconds,
|
|
|
|
* mark it as "fast" and add its samples in bulk.
|
|
|
|
*/
|
2014-10-26 21:22:32 +03:00
|
|
|
if (__predict_true(rs->flags & RND_FLAG_FAST) ||
|
|
|
|
(todo >= RND_SAMPLE_COUNT)) {
|
2013-01-26 23:05:11 +04:00
|
|
|
sample_count = RND_SAMPLE_COUNT;
|
|
|
|
} else {
|
2014-10-26 21:22:32 +03:00
|
|
|
if (!(rs->flags & RND_FLAG_HASCB) &&
|
|
|
|
!cold && rnd_initial_entropy) {
|
2013-01-26 23:05:11 +04:00
|
|
|
struct timeval upt;
|
|
|
|
|
|
|
|
getmicrouptime(&upt);
|
2015-08-05 19:51:09 +03:00
|
|
|
if ((upt.tv_sec > 0 && rs->total > upt.tv_sec * 10) ||
|
2013-01-27 02:22:07 +04:00
|
|
|
(upt.tv_sec > 10 && rs->total > upt.tv_sec) ||
|
|
|
|
(upt.tv_sec > 100 &&
|
2013-01-26 23:05:11 +04:00
|
|
|
rs->total > upt.tv_sec / 10)) {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: source %s is fast"
|
|
|
|
" (%d samples at once,"
|
|
|
|
" %d bits in %lld seconds), "
|
|
|
|
"processing samples in bulk.\n",
|
|
|
|
rs->name, todo, rs->total,
|
|
|
|
(long long int)upt.tv_sec);
|
2013-01-26 23:05:11 +04:00
|
|
|
rs->flags |= RND_FLAG_FAST;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sample_count = 2;
|
|
|
|
}
|
|
|
|
|
1997-10-10 03:13:12 +04:00
|
|
|
/*
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* Loop over data packaging it into sample buffers.
|
|
|
|
* If a sample buffer allocation fails, drop all data.
|
1997-10-10 03:13:12 +04:00
|
|
|
*/
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
for (done = 0; done < todo ; done++) {
|
|
|
|
state = rs->state;
|
|
|
|
if (state == NULL) {
|
|
|
|
state = rnd_sample_allocate_isr(rs);
|
|
|
|
if (__predict_false(state == NULL)) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
rs->state = state;
|
|
|
|
}
|
|
|
|
|
|
|
|
state->ts[state->cursor] = ts;
|
2014-08-11 18:07:55 +04:00
|
|
|
(void)memcpy(&dint, &p[done*4], 4);
|
|
|
|
state->values[state->cursor] = dint;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
state->cursor++;
|
|
|
|
|
2013-01-26 23:05:11 +04:00
|
|
|
if (state->cursor == sample_count) {
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
SIMPLEQ_INSERT_HEAD(&tmp_samples, state, next);
|
|
|
|
filled++;
|
|
|
|
rs->state = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (__predict_false(state == NULL)) {
|
|
|
|
while ((state = SIMPLEQ_FIRST(&tmp_samples))) {
|
|
|
|
SIMPLEQ_REMOVE_HEAD(&tmp_samples, next);
|
|
|
|
rnd_sample_free(state);
|
|
|
|
}
|
1997-10-10 03:13:12 +04:00
|
|
|
return;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
1997-10-10 03:13:12 +04:00
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* Claim all the entropy on the last one we send to
|
|
|
|
* the pool, so we don't rely on it being evenly distributed
|
|
|
|
* in the supplied data.
|
|
|
|
*
|
|
|
|
* XXX The rndpool code must accept samples with more
|
|
|
|
* XXX claimed entropy than bits for this to work right.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
state->entropy += entropy;
|
|
|
|
rs->total += entropy;
|
1997-10-19 15:43:05 +04:00
|
|
|
|
2000-06-06 03:42:34 +04:00
|
|
|
/*
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* If we didn't finish any sample buffers, we're done.
|
2000-06-06 03:42:34 +04:00
|
|
|
*/
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
if (!filled) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_enter(&rnd_samples.lock);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
while ((state = SIMPLEQ_FIRST(&tmp_samples))) {
|
|
|
|
SIMPLEQ_REMOVE_HEAD(&tmp_samples, next);
|
2015-04-08 05:49:03 +03:00
|
|
|
SIMPLEQ_INSERT_HEAD(&rnd_samples.q, state, next);
|
1997-10-19 15:43:05 +04:00
|
|
|
}
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_exit(&rnd_samples.lock);
|
2013-06-13 04:55:01 +04:00
|
|
|
|
2016-02-17 03:43:42 +03:00
|
|
|
/* Cause processing of queued samples, if caller wants it. */
|
|
|
|
if (schedule)
|
|
|
|
rnd_schedule_process();
|
1997-10-19 15:43:05 +04:00
|
|
|
}
|
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
static int
|
|
|
|
rnd_hwrng_test(rnd_sample_t *sample)
|
2001-09-09 04:48:54 +04:00
|
|
|
{
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
krndsource_t *source = sample->source;
|
|
|
|
size_t cmplen;
|
|
|
|
uint8_t *v1, *v2;
|
|
|
|
size_t resid, totest;
|
2001-09-09 04:48:54 +04:00
|
|
|
|
2013-01-24 18:23:45 +04:00
|
|
|
KASSERT(source->type == RND_TYPE_RNG);
|
2001-09-09 04:48:54 +04:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/*
|
|
|
|
* Continuous-output test: compare two halves of the
|
|
|
|
* sample buffer to each other. The sample buffer (64 ints,
|
|
|
|
* so either 256 or 512 bytes on any modern machine) should be
|
|
|
|
* much larger than a typical hardware RNG output, so this seems
|
|
|
|
* a reasonable way to do it without retaining extra data.
|
|
|
|
*/
|
|
|
|
cmplen = sizeof(sample->values) / 2;
|
|
|
|
v1 = (uint8_t *)sample->values;
|
|
|
|
v2 = (uint8_t *)sample->values + cmplen;
|
|
|
|
|
2011-11-20 04:28:51 +04:00
|
|
|
if (__predict_false(!memcmp(v1, v2, cmplen))) {
|
2015-08-05 19:51:09 +03:00
|
|
|
rnd_printf("rnd: source \"%s\""
|
|
|
|
" failed continuous-output test.\n",
|
|
|
|
source->name);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
return 1;
|
2001-09-09 04:48:54 +04:00
|
|
|
}
|
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/*
|
|
|
|
* FIPS 140 statistical RNG test. We must accumulate 20,000 bits.
|
|
|
|
*/
|
|
|
|
if (__predict_true(source->test_cnt == -1)) {
|
|
|
|
/* already passed the test */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
resid = FIPS140_RNG_TEST_BYTES - source->test_cnt;
|
|
|
|
totest = MIN(RND_SAMPLE_COUNT * 4, resid);
|
|
|
|
memcpy(source->test->rt_b + source->test_cnt, sample->values, totest);
|
|
|
|
resid -= totest;
|
|
|
|
source->test_cnt += totest;
|
|
|
|
if (resid == 0) {
|
|
|
|
strlcpy(source->test->rt_name, source->name,
|
|
|
|
sizeof(source->test->rt_name));
|
|
|
|
if (rngtest(source->test)) {
|
2015-08-05 19:51:09 +03:00
|
|
|
rnd_printf("rnd: source \"%s\""
|
|
|
|
" failed statistical test.",
|
|
|
|
source->name);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
source->test_cnt = -1;
|
2016-01-11 17:55:52 +03:00
|
|
|
explicit_memset(source->test, 0, sizeof(*source->test));
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
|
|
|
return 0;
|
2001-09-09 04:48:54 +04:00
|
|
|
}
|
|
|
|
|
1997-10-20 19:05:05 +04:00
|
|
|
/*
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* Process the events in the ring buffer. Called by rnd_timeout or
|
|
|
|
* by the add routines directly if the callout has never fired (that
|
|
|
|
* is, if we are "cold" -- just booted).
|
|
|
|
*
|
1997-10-20 19:05:05 +04:00
|
|
|
*/
|
2013-08-27 23:30:10 +04:00
|
|
|
static void
|
2013-06-13 04:55:01 +04:00
|
|
|
rnd_process_events(void)
|
1997-10-19 15:43:05 +04:00
|
|
|
{
|
2013-06-13 04:55:01 +04:00
|
|
|
rnd_sample_t *sample = NULL;
|
2015-04-14 15:33:53 +03:00
|
|
|
krndsource_t *source;
|
2013-06-13 04:55:01 +04:00
|
|
|
static krndsource_t *last_source;
|
2015-04-14 15:28:12 +03:00
|
|
|
uint32_t entropy;
|
2013-06-13 04:55:01 +04:00
|
|
|
size_t pool_entropy;
|
2015-04-14 17:18:57 +03:00
|
|
|
int wake = 0;
|
2015-04-08 05:52:25 +03:00
|
|
|
struct rnd_sampleq dq_samples = SIMPLEQ_HEAD_INITIALIZER(dq_samples);
|
|
|
|
struct rnd_sampleq df_samples = SIMPLEQ_HEAD_INITIALIZER(df_samples);
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2000-06-06 03:42:34 +04:00
|
|
|
/*
|
2015-04-08 05:49:03 +03:00
|
|
|
* Drain to the on-stack queue and drop the lock.
|
2000-06-06 03:42:34 +04:00
|
|
|
*/
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_enter(&rnd_samples.lock);
|
|
|
|
while ((sample = SIMPLEQ_FIRST(&rnd_samples.q))) {
|
|
|
|
SIMPLEQ_REMOVE_HEAD(&rnd_samples.q, next);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/*
|
|
|
|
* We repeat this check here, since it is possible
|
|
|
|
* the source was disabled before we were called, but
|
|
|
|
* after the entry was queued.
|
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
if (__predict_false(!(sample->source->flags &
|
2015-08-05 19:51:09 +03:00
|
|
|
(RND_FLAG_COLLECT_TIME|RND_FLAG_COLLECT_VALUE)))) {
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
SIMPLEQ_INSERT_TAIL(&df_samples, sample, next);
|
|
|
|
} else {
|
|
|
|
SIMPLEQ_INSERT_TAIL(&dq_samples, sample, next);
|
|
|
|
}
|
|
|
|
}
|
2015-04-08 05:49:03 +03:00
|
|
|
mutex_spin_exit(&rnd_samples.lock);
|
2001-09-09 04:32:52 +04:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/* Don't thrash the rndpool mtx either. Hold, add all samples. */
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2013-06-13 04:55:01 +04:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
pool_entropy = rndpool_get_entropy_count(&rnd_global.pool);
|
2013-06-13 04:55:01 +04:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
while ((sample = SIMPLEQ_FIRST(&dq_samples))) {
|
2014-08-10 20:44:32 +04:00
|
|
|
int sample_count;
|
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
SIMPLEQ_REMOVE_HEAD(&dq_samples, next);
|
1999-02-28 20:18:42 +03:00
|
|
|
source = sample->source;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
entropy = sample->entropy;
|
2015-04-08 16:24:23 +03:00
|
|
|
sample_count = sample->cursor;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2013-06-13 04:55:01 +04:00
|
|
|
/*
|
|
|
|
* Don't provide a side channel for timing attacks on
|
|
|
|
* low-rate sources: require mixing with some other
|
|
|
|
* source before we schedule a wakeup.
|
|
|
|
*/
|
|
|
|
if (!wake &&
|
|
|
|
(source != last_source || source->flags & RND_FLAG_FAST)) {
|
|
|
|
wake++;
|
|
|
|
}
|
|
|
|
last_source = source;
|
|
|
|
|
2015-04-08 06:00:31 +03:00
|
|
|
/*
|
|
|
|
* If the source has been disabled, ignore samples from
|
|
|
|
* it.
|
|
|
|
*/
|
|
|
|
if (source->flags & RND_FLAG_NO_COLLECT)
|
|
|
|
goto skip;
|
|
|
|
|
1997-10-19 15:43:05 +04:00
|
|
|
/*
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
* Hardware generators are great but sometimes they
|
|
|
|
* have...hardware issues. Don't use any data from
|
|
|
|
* them unless it passes some tests.
|
1997-10-19 15:43:05 +04:00
|
|
|
*/
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
if (source->type == RND_TYPE_RNG) {
|
|
|
|
if (__predict_false(rnd_hwrng_test(sample))) {
|
2015-04-08 06:00:31 +03:00
|
|
|
source->flags |= RND_FLAG_NO_COLLECT;
|
2015-08-05 19:37:27 +03:00
|
|
|
rnd_printf("rnd: disabling source \"%s\".\n",
|
2015-04-14 15:33:53 +03:00
|
|
|
source->name);
|
2015-04-08 06:00:31 +03:00
|
|
|
goto skip;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
|
|
|
}
|
1999-02-28 20:18:42 +03:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
if (source->flags & RND_FLAG_COLLECT_VALUE) {
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, sample->values,
|
2015-08-05 19:51:09 +03:00
|
|
|
sample_count * sizeof(sample->values[1]),
|
|
|
|
0);
|
2014-08-10 20:44:32 +04:00
|
|
|
}
|
|
|
|
if (source->flags & RND_FLAG_COLLECT_TIME) {
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, sample->ts,
|
2015-08-05 19:51:09 +03:00
|
|
|
sample_count * sizeof(sample->ts[1]),
|
|
|
|
0);
|
2014-08-10 20:44:32 +04:00
|
|
|
}
|
2008-08-16 16:23:34 +04:00
|
|
|
|
2014-08-10 20:44:32 +04:00
|
|
|
pool_entropy += entropy;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
source->total += sample->entropy;
|
2015-04-08 06:00:31 +03:00
|
|
|
skip: SIMPLEQ_INSERT_TAIL(&df_samples, sample, next);
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_set_entropy_count(&rnd_global.pool, pool_entropy);
|
2015-04-14 17:11:51 +03:00
|
|
|
rnd_entropy_added();
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 16:08:22 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we filled the pool past the threshold, wake anyone
|
2016-02-17 03:57:36 +03:00
|
|
|
* waiting for entropy.
|
2015-04-14 16:08:22 +03:00
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
if (pool_entropy > RND_ENTROPY_THRESHOLD * 8) {
|
|
|
|
wake++;
|
|
|
|
}
|
1999-02-28 20:18:42 +03:00
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/* Now we hold no locks: clean up. */
|
|
|
|
while ((sample = SIMPLEQ_FIRST(&df_samples))) {
|
|
|
|
SIMPLEQ_REMOVE_HEAD(&df_samples, next);
|
1999-02-28 20:18:42 +03:00
|
|
|
rnd_sample_free(sample);
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
|
|
|
|
2013-08-27 23:30:10 +04:00
|
|
|
/*
|
|
|
|
* Wake up any potential readers waiting.
|
|
|
|
*/
|
|
|
|
if (wake) {
|
|
|
|
rnd_schedule_wakeup();
|
|
|
|
}
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
|
|
|
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
static void
|
2013-06-13 04:55:01 +04:00
|
|
|
rnd_intr(void *arg)
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2013-08-27 23:30:10 +04:00
|
|
|
rnd_process_events();
|
2013-06-13 04:55:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
rnd_wake(void *arg)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2015-04-14 17:16:34 +03:00
|
|
|
rndsinks_distribute();
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
|
|
|
|
2015-04-13 17:41:06 +03:00
|
|
|
static uint32_t
|
2015-04-14 15:28:12 +03:00
|
|
|
rnd_extract_data(void *p, uint32_t len, uint32_t flags)
|
1997-10-10 03:13:12 +04:00
|
|
|
{
|
2012-09-05 22:06:52 +04:00
|
|
|
static int timed_in;
|
2015-04-08 05:32:26 +03:00
|
|
|
uint32_t retval;
|
1997-10-10 03:13:12 +04:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2012-09-05 22:06:52 +04:00
|
|
|
if (__predict_false(!timed_in)) {
|
|
|
|
if (boottime.tv_sec) {
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, &boottime,
|
2015-08-05 19:51:09 +03:00
|
|
|
sizeof(boottime), 0);
|
2012-09-05 22:06:52 +04:00
|
|
|
}
|
|
|
|
timed_in++;
|
|
|
|
}
|
2012-09-05 22:57:33 +04:00
|
|
|
if (__predict_false(!rnd_initial_entropy)) {
|
2014-08-10 20:44:32 +04:00
|
|
|
uint32_t c;
|
2011-10-12 03:55:30 +04:00
|
|
|
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: WARNING! initial entropy low (%u).\n",
|
2015-08-05 19:51:09 +03:00
|
|
|
rndpool_get_entropy_count(&rnd_global.pool));
|
2002-10-09 18:48:58 +04:00
|
|
|
/* Try once again to put something in the pool */
|
|
|
|
c = rnd_counter();
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, &c, sizeof(c), 1);
|
2002-10-07 15:02:20 +04:00
|
|
|
}
|
2011-12-18 00:05:38 +04:00
|
|
|
|
|
|
|
#ifdef DIAGNOSTIC
|
|
|
|
while (!rnd_tested) {
|
2016-02-17 04:23:32 +03:00
|
|
|
int entropy_count =
|
|
|
|
rndpool_get_entropy_count(&rnd_global.pool);
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: starting statistical RNG test,"
|
|
|
|
" entropy = %d.\n",
|
|
|
|
entropy_count);
|
2015-04-14 16:23:25 +03:00
|
|
|
if (rndpool_extract_data(&rnd_global.pool, rnd_rt.rt_b,
|
2015-08-05 19:51:09 +03:00
|
|
|
sizeof(rnd_rt.rt_b), RND_EXTRACT_ANY)
|
2011-12-18 00:05:38 +04:00
|
|
|
!= sizeof(rnd_rt.rt_b)) {
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
panic("rnd: could not get bits for statistical test");
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Stash the tested bits so we can put them back in the
|
|
|
|
* pool, restoring the entropy count. DO NOT rely on
|
|
|
|
* rngtest to maintain the bits pristine -- we could end
|
|
|
|
* up adding back non-random data claiming it were pure
|
|
|
|
* entropy.
|
|
|
|
*/
|
2011-12-18 00:05:38 +04:00
|
|
|
memcpy(rnd_testbits, rnd_rt.rt_b, sizeof(rnd_rt.rt_b));
|
2015-08-05 19:51:09 +03:00
|
|
|
strlcpy(rnd_rt.rt_name, "entropy pool",
|
|
|
|
sizeof(rnd_rt.rt_name));
|
2011-12-18 00:05:38 +04:00
|
|
|
if (rngtest(&rnd_rt)) {
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
/*
|
|
|
|
* The probabiliity of a Type I error is 3/10000,
|
|
|
|
* but note this can only happen at boot time.
|
|
|
|
* The relevant standard says to reset the module,
|
2011-12-18 00:05:38 +04:00
|
|
|
* but developers objected...
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
*/
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_printf("rnd: WARNING, ENTROPY POOL FAILED "
|
2015-08-05 19:51:09 +03:00
|
|
|
"STATISTICAL TEST!\n");
|
2011-12-18 00:05:38 +04:00
|
|
|
continue;
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
}
|
2016-01-11 17:55:52 +03:00
|
|
|
explicit_memset(&rnd_rt, 0, sizeof(rnd_rt));
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_add_data(&rnd_global.pool, rnd_testbits,
|
|
|
|
sizeof(rnd_testbits), entropy_count);
|
2016-02-27 03:09:44 +03:00
|
|
|
explicit_memset(rnd_testbits, 0, sizeof(rnd_testbits));
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: statistical RNG test done,"
|
|
|
|
" entropy = %d.\n",
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_get_entropy_count(&rnd_global.pool));
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
rnd_tested++;
|
|
|
|
}
|
2011-12-18 00:05:38 +04:00
|
|
|
#endif
|
2015-04-14 16:23:25 +03:00
|
|
|
retval = rndpool_extract_data(&rnd_global.pool, p, len, flags);
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 16:08:22 +03:00
|
|
|
|
2011-10-12 03:55:30 +04:00
|
|
|
return retval;
|
1997-10-10 03:13:12 +04:00
|
|
|
}
|
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
2011-11-20 02:51:18 +04:00
|
|
|
|
2015-04-13 17:41:06 +03:00
|
|
|
/*
|
|
|
|
* Fill the buffer with as much entropy as we can. Return true if it
|
|
|
|
* has full entropy and false if not.
|
|
|
|
*/
|
|
|
|
bool
|
|
|
|
rnd_extract(void *buffer, size_t bytes)
|
|
|
|
{
|
|
|
|
const size_t extracted = rnd_extract_data(buffer, bytes,
|
|
|
|
RND_EXTRACT_GOOD);
|
|
|
|
|
|
|
|
if (extracted < bytes) {
|
2015-04-14 16:08:22 +03:00
|
|
|
rnd_getmore(bytes - extracted);
|
2015-04-13 17:41:06 +03:00
|
|
|
(void)rnd_extract_data((uint8_t *)buffer + extracted,
|
|
|
|
bytes - extracted, RND_EXTRACT_ANY);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we have as much entropy as is requested, fill the buffer with it
|
|
|
|
* and return true. Otherwise, leave the buffer alone and return
|
|
|
|
* false.
|
|
|
|
*/
|
|
|
|
|
|
|
|
CTASSERT(RND_ENTROPY_THRESHOLD <= 0xffffffffUL);
|
|
|
|
CTASSERT(RNDSINK_MAX_BYTES <= (0xffffffffUL - RND_ENTROPY_THRESHOLD));
|
|
|
|
CTASSERT((RNDSINK_MAX_BYTES + RND_ENTROPY_THRESHOLD) <=
|
|
|
|
(0xffffffffUL / NBBY));
|
|
|
|
|
|
|
|
bool
|
|
|
|
rnd_tryextract(void *buffer, size_t bytes)
|
|
|
|
{
|
2015-04-14 16:08:22 +03:00
|
|
|
uint32_t bits_needed, bytes_requested;
|
2015-04-13 17:41:06 +03:00
|
|
|
|
|
|
|
KASSERT(bytes <= RNDSINK_MAX_BYTES);
|
2015-04-14 16:08:22 +03:00
|
|
|
bits_needed = ((bytes + RND_ENTROPY_THRESHOLD) * NBBY);
|
2015-04-13 17:41:06 +03:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
if (bits_needed <= rndpool_get_entropy_count(&rnd_global.pool)) {
|
2015-04-13 17:41:06 +03:00
|
|
|
const uint32_t extracted __diagused =
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_extract_data(&rnd_global.pool, buffer, bytes,
|
2015-04-13 17:41:06 +03:00
|
|
|
RND_EXTRACT_GOOD);
|
|
|
|
|
|
|
|
KASSERT(extracted == bytes);
|
2015-04-14 16:08:22 +03:00
|
|
|
bytes_requested = 0;
|
2015-04-13 17:41:06 +03:00
|
|
|
} else {
|
2015-04-14 16:08:22 +03:00
|
|
|
/* XXX Figure the threshold into this... */
|
|
|
|
bytes_requested = howmany((bits_needed -
|
2015-04-14 16:23:25 +03:00
|
|
|
rndpool_get_entropy_count(&rnd_global.pool)), NBBY);
|
2015-04-14 16:08:22 +03:00
|
|
|
KASSERT(0 < bytes_requested);
|
2015-04-13 17:41:06 +03:00
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-13 17:41:06 +03:00
|
|
|
|
2015-04-14 16:08:22 +03:00
|
|
|
if (0 < bytes_requested)
|
|
|
|
rnd_getmore(bytes_requested);
|
|
|
|
|
|
|
|
return bytes_requested == 0;
|
2015-04-13 17:41:06 +03:00
|
|
|
}
|
|
|
|
|
2011-11-28 11:56:53 +04:00
|
|
|
void
|
|
|
|
rnd_seed(void *base, size_t len)
|
|
|
|
{
|
|
|
|
SHA1_CTX s;
|
|
|
|
uint8_t digest[SHA1_DIGEST_LENGTH];
|
|
|
|
|
|
|
|
if (len != sizeof(*boot_rsp)) {
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_printf("rnd: bad seed length %d\n", (int)len);
|
2011-11-28 11:56:53 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
boot_rsp = (rndsave_t *)base;
|
|
|
|
SHA1Init(&s);
|
|
|
|
SHA1Update(&s, (uint8_t *)&boot_rsp->entropy,
|
2015-08-05 19:51:09 +03:00
|
|
|
sizeof(boot_rsp->entropy));
|
2011-11-28 11:56:53 +04:00
|
|
|
SHA1Update(&s, boot_rsp->data, sizeof(boot_rsp->data));
|
|
|
|
SHA1Final(digest, &s);
|
|
|
|
|
|
|
|
if (memcmp(digest, boot_rsp->digest, sizeof(digest))) {
|
2014-08-10 20:44:32 +04:00
|
|
|
rnd_printf("rnd: bad seed checksum\n");
|
2011-11-28 11:56:53 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It's not really well-defined whether bootloader-supplied
|
|
|
|
* modules run before or after rnd_init(). Handle both cases.
|
|
|
|
*/
|
|
|
|
if (rnd_ready) {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: ready,"
|
|
|
|
" feeding in seed data directly.\n");
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_add_data(&rnd_global.pool, boot_rsp->data,
|
2015-08-05 19:51:09 +03:00
|
|
|
sizeof(boot_rsp->data),
|
|
|
|
MIN(boot_rsp->entropy, RND_POOLBITS / 2));
|
2016-01-11 17:55:52 +03:00
|
|
|
explicit_memset(boot_rsp, 0, sizeof(*boot_rsp));
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2011-11-28 11:56:53 +04:00
|
|
|
} else {
|
2015-04-08 05:32:26 +03:00
|
|
|
rnd_printf_verbose("rnd: not ready, deferring seed feed.\n");
|
2011-11-28 11:56:53 +04:00
|
|
|
}
|
|
|
|
}
|
2015-04-14 15:51:30 +03:00
|
|
|
|
|
|
|
static void
|
|
|
|
krndsource_to_rndsource(krndsource_t *kr, rndsource_t *r)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2015-04-14 15:51:30 +03:00
|
|
|
memset(r, 0, sizeof(*r));
|
|
|
|
strlcpy(r->name, kr->name, sizeof(r->name));
|
|
|
|
r->total = kr->total;
|
|
|
|
r->type = kr->type;
|
|
|
|
r->flags = kr->flags;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
krndsource_to_rndsource_est(krndsource_t *kr, rndsource_est_t *re)
|
|
|
|
{
|
2015-08-05 19:51:09 +03:00
|
|
|
|
2015-04-14 15:51:30 +03:00
|
|
|
memset(re, 0, sizeof(*re));
|
|
|
|
krndsource_to_rndsource(kr, &re->rt);
|
|
|
|
re->dt_samples = kr->time_delta.insamples;
|
|
|
|
re->dt_total = kr->time_delta.outbits;
|
|
|
|
re->dv_samples = kr->value_delta.insamples;
|
|
|
|
re->dv_total = kr->value_delta.outbits;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
krs_setflags(krndsource_t *kr, uint32_t flags, uint32_t mask)
|
|
|
|
{
|
|
|
|
uint32_t oflags = kr->flags;
|
|
|
|
|
|
|
|
kr->flags &= ~mask;
|
|
|
|
kr->flags |= (flags & mask);
|
|
|
|
|
|
|
|
if (oflags & RND_FLAG_HASENABLE &&
|
2015-08-05 19:51:09 +03:00
|
|
|
((oflags & RND_FLAG_NO_COLLECT) !=
|
|
|
|
(flags & RND_FLAG_NO_COLLECT))) {
|
2015-04-14 15:51:30 +03:00
|
|
|
kr->enable(kr, !(flags & RND_FLAG_NO_COLLECT));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
rnd_system_ioctl(struct file *fp, u_long cmd, void *addr)
|
|
|
|
{
|
|
|
|
krndsource_t *kr;
|
|
|
|
rndstat_t *rst;
|
|
|
|
rndstat_name_t *rstnm;
|
|
|
|
rndstat_est_t *rset;
|
|
|
|
rndstat_est_name_t *rsetnm;
|
|
|
|
rndctl_t *rctl;
|
|
|
|
rnddata_t *rnddata;
|
|
|
|
uint32_t count, start;
|
|
|
|
int ret = 0;
|
|
|
|
int estimate_ok = 0, estimate = 0;
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case RNDGETENTCNT:
|
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETPOOLSTAT:
|
|
|
|
case RNDGETSRCNUM:
|
|
|
|
case RNDGETSRCNAME:
|
|
|
|
case RNDGETESTNUM:
|
|
|
|
case RNDGETESTNAME:
|
|
|
|
ret = kauth_authorize_device(curlwp->l_cred,
|
|
|
|
KAUTH_DEVICE_RND_GETPRIV, NULL, NULL, NULL, NULL);
|
|
|
|
if (ret)
|
2015-08-05 19:51:09 +03:00
|
|
|
return ret;
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDCTL:
|
|
|
|
ret = kauth_authorize_device(curlwp->l_cred,
|
|
|
|
KAUTH_DEVICE_RND_SETPRIV, NULL, NULL, NULL, NULL);
|
|
|
|
if (ret)
|
2015-08-05 19:51:09 +03:00
|
|
|
return ret;
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDADDDATA:
|
|
|
|
ret = kauth_authorize_device(curlwp->l_cred,
|
|
|
|
KAUTH_DEVICE_RND_ADDDATA, NULL, NULL, NULL, NULL);
|
|
|
|
if (ret)
|
2015-08-05 19:51:09 +03:00
|
|
|
return ret;
|
2015-04-14 15:51:30 +03:00
|
|
|
estimate_ok = !kauth_authorize_device(curlwp->l_cred,
|
|
|
|
KAUTH_DEVICE_RND_ADDDATA_ESTIMATE, NULL, NULL, NULL, NULL);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
#ifdef COMPAT_50
|
|
|
|
return compat_50_rnd_ioctl(fp, cmd, addr);
|
|
|
|
#else
|
|
|
|
return ENOTTY;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case RNDGETENTCNT:
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-08-05 19:51:09 +03:00
|
|
|
*(uint32_t *)addr =
|
|
|
|
rndpool_get_entropy_count(&rnd_global.pool);
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETPOOLSTAT:
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_get_stats(&rnd_global.pool, addr,
|
|
|
|
sizeof(rndpoolstat_t));
|
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETSRCNUM:
|
|
|
|
rst = (rndstat_t *)addr;
|
|
|
|
|
|
|
|
if (rst->count == 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (rst->count > RND_MAXSTATCOUNT)
|
2015-08-05 19:51:09 +03:00
|
|
|
return EINVAL;
|
2015-04-14 15:51:30 +03:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
/*
|
|
|
|
* Find the starting source by running through the
|
|
|
|
* list of sources.
|
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
kr = LIST_FIRST(&rnd_global.sources);
|
2015-04-14 15:51:30 +03:00
|
|
|
start = rst->start;
|
|
|
|
while (kr != NULL && start >= 1) {
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
start--;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Return up to as many structures as the user asked
|
|
|
|
* for. If we run out of sources, a count of zero
|
|
|
|
* will be returned, without an error.
|
|
|
|
*/
|
|
|
|
for (count = 0; count < rst->count && kr != NULL; count++) {
|
|
|
|
krndsource_to_rndsource(kr, &rst->source[count]);
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
|
|
|
|
|
|
|
rst->count = count;
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETESTNUM:
|
|
|
|
rset = (rndstat_est_t *)addr;
|
|
|
|
|
|
|
|
if (rset->count == 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (rset->count > RND_MAXSTATCOUNT)
|
2015-08-05 19:51:09 +03:00
|
|
|
return EINVAL;
|
2015-04-14 15:51:30 +03:00
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
/*
|
|
|
|
* Find the starting source by running through the
|
|
|
|
* list of sources.
|
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
kr = LIST_FIRST(&rnd_global.sources);
|
2015-04-14 15:51:30 +03:00
|
|
|
start = rset->start;
|
2015-08-29 13:00:19 +03:00
|
|
|
while (kr != NULL && start > 0) {
|
2015-04-14 15:51:30 +03:00
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
start--;
|
|
|
|
}
|
|
|
|
|
2015-08-05 19:51:09 +03:00
|
|
|
/*
|
|
|
|
* Return up to as many structures as the user asked
|
2015-04-14 15:51:30 +03:00
|
|
|
* for. If we run out of sources, a count of zero
|
|
|
|
* will be returned, without an error.
|
|
|
|
*/
|
|
|
|
for (count = 0; count < rset->count && kr != NULL; count++) {
|
|
|
|
krndsource_to_rndsource_est(kr, &rset->source[count]);
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
|
|
|
|
|
|
|
rset->count = count;
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETSRCNAME:
|
|
|
|
/*
|
|
|
|
* Scan through the list, trying to find the name.
|
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
rstnm = (rndstat_name_t *)addr;
|
2015-04-14 16:23:25 +03:00
|
|
|
kr = LIST_FIRST(&rnd_global.sources);
|
2015-04-14 15:51:30 +03:00
|
|
|
while (kr != NULL) {
|
|
|
|
if (strncmp(kr->name, rstnm->name,
|
2015-08-05 19:51:09 +03:00
|
|
|
MIN(sizeof(kr->name),
|
|
|
|
sizeof(rstnm->name))) == 0) {
|
2015-04-14 15:51:30 +03:00
|
|
|
krndsource_to_rndsource(kr, &rstnm->source);
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-08-05 19:51:09 +03:00
|
|
|
return 0;
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
|
|
|
|
ret = ENOENT; /* name not found */
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDGETESTNAME:
|
|
|
|
/*
|
|
|
|
* Scan through the list, trying to find the name.
|
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
rsetnm = (rndstat_est_name_t *)addr;
|
2015-04-14 16:23:25 +03:00
|
|
|
kr = LIST_FIRST(&rnd_global.sources);
|
2015-04-14 15:51:30 +03:00
|
|
|
while (kr != NULL) {
|
|
|
|
if (strncmp(kr->name, rsetnm->name,
|
2015-08-05 19:51:09 +03:00
|
|
|
MIN(sizeof(kr->name), sizeof(rsetnm->name)))
|
|
|
|
== 0) {
|
2015-04-14 15:51:30 +03:00
|
|
|
krndsource_to_rndsource_est(kr,
|
2015-08-05 19:51:09 +03:00
|
|
|
&rsetnm->source);
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-08-05 19:51:09 +03:00
|
|
|
return 0;
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
|
|
|
|
ret = ENOENT; /* name not found */
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDCTL:
|
|
|
|
/*
|
|
|
|
* Set flags to enable/disable entropy counting and/or
|
|
|
|
* collection.
|
|
|
|
*/
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
rctl = (rndctl_t *)addr;
|
2015-04-14 16:23:25 +03:00
|
|
|
kr = LIST_FIRST(&rnd_global.sources);
|
2015-04-14 15:51:30 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Flags set apply to all sources of this type.
|
|
|
|
*/
|
|
|
|
if (rctl->type != 0xff) {
|
|
|
|
while (kr != NULL) {
|
|
|
|
if (kr->type == rctl->type) {
|
2015-08-05 19:51:09 +03:00
|
|
|
krs_setflags(kr, rctl->flags,
|
|
|
|
rctl->mask);
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-08-05 19:51:09 +03:00
|
|
|
return 0;
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* scan through the list, trying to find the name
|
|
|
|
*/
|
|
|
|
while (kr != NULL) {
|
|
|
|
if (strncmp(kr->name, rctl->name,
|
2015-08-05 19:51:09 +03:00
|
|
|
MIN(sizeof(kr->name), sizeof(rctl->name)))
|
|
|
|
== 0) {
|
2015-04-14 15:51:30 +03:00
|
|
|
krs_setflags(kr, rctl->flags, rctl->mask);
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-08-05 19:51:09 +03:00
|
|
|
return 0;
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
kr = LIST_NEXT(kr, list);
|
|
|
|
}
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
ret = ENOENT; /* name not found */
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
case RNDADDDATA:
|
|
|
|
/*
|
|
|
|
* Don't seed twice if our bootloader has
|
|
|
|
* seed loading support.
|
|
|
|
*/
|
|
|
|
if (!boot_rsp) {
|
|
|
|
rnddata = (rnddata_t *)addr;
|
|
|
|
|
|
|
|
if (rnddata->len > sizeof(rnddata->data))
|
|
|
|
return EINVAL;
|
|
|
|
|
|
|
|
if (estimate_ok) {
|
|
|
|
/*
|
|
|
|
* Do not accept absurd entropy estimates, and
|
|
|
|
* do not flood the pool with entropy such that
|
|
|
|
* new samples are discarded henceforth.
|
|
|
|
*/
|
|
|
|
estimate = MIN((rnddata->len * NBBY) / 2,
|
2015-08-05 19:51:09 +03:00
|
|
|
MIN(rnddata->entropy, RND_POOLBITS / 2));
|
2015-04-14 15:51:30 +03:00
|
|
|
} else {
|
|
|
|
estimate = 0;
|
|
|
|
}
|
|
|
|
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_enter(&rnd_global.lock);
|
|
|
|
rndpool_add_data(&rnd_global.pool, rnddata->data,
|
2015-08-05 19:51:09 +03:00
|
|
|
rnddata->len, estimate);
|
2015-04-14 17:11:51 +03:00
|
|
|
rnd_entropy_added();
|
2015-04-14 16:23:25 +03:00
|
|
|
mutex_spin_exit(&rnd_global.lock);
|
2015-04-14 15:51:30 +03:00
|
|
|
|
2015-04-14 17:16:34 +03:00
|
|
|
rndsinks_distribute();
|
2015-04-14 16:05:33 +03:00
|
|
|
} else {
|
|
|
|
rnd_printf_verbose("rnd"
|
|
|
|
": already seeded by boot loader\n");
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return ENOTTY;
|
|
|
|
}
|
|
|
|
|
2015-08-05 19:51:09 +03:00
|
|
|
return ret;
|
2015-04-14 15:51:30 +03:00
|
|
|
}
|