initialisation. This is just as silly as the other entropy
estimations, but it at least allows us to see how many values have
been added.
spl protect rnd_get_entropy_counter call properly
Make rndpool start out doing rotations on the first pass - make the
LSFR's be less sensitive to stuck bits in poor initial inputs.
Add considerable comments regarding the mixing function.
- Add comments about which spls apply to which data structures.
- Consistently protect the rnd_samples queue (the queue of
unprocessed samples) at splhigh().
- allow MD code to supply cpu_timestamp() and cpu_havetimestamp() for
an optional higher-resolution clock/roulette wheel source.
- Collect more statistics on the pool state (keeping track of where
collected bits are going, in addition to where they came from).
- Add RNDGETPOOLSTAT ioctl to get the additional stats.
- Flush a few unused rndpool calls.
- XXX XXX Cryptographic changes:
- 32-bit rotate is:
((val << rp->rotate) | (val >> (32 - rp->rotate))),
not
(val << rp->rotate) | (val >> rp->rotate)
or
((val << rp->rotate) | (val >> (31 - rp->rotate)))
- Avoid overloading of rp->rotate and double-rotation of data
(which limited pool mixing somewhat; "rotate" never got above 7).
- Be more paranoid (but probably not paranoid enough) about mixing
output back into the pool. This is an improvement, but it needs
revisiting soon.
We should follow the spirit of some of the recommendations in
the Schneier PRNG papers:
http://www.counterpane.com/yarrow-notes.htmlhttp://www.counterpane.com/pseudorandom_number.html
including:
- two (or more) stage operation for better isolation between inputs
and outputs.
- use of keyed one-way functions (probably better even than
invertible keyed functions like 3DES) at key points in the data flow,
so that breaking the PRNG is clearly as hard as breaking the function.
release the first 96 bits of the hash directly rather than by folding.
The full 160 bit hash is mixed back into the entropy pool. This keeps
64 bits secret to stir the pool with.
pseudo-device rnd # /dev/random and in-kernel generator
in config files.
o Add declaration to all architectures.
o Clean up copyright message in rnd.c, rnd.h, and rndpool.c to include
that this code is derived in part from Ted Tyso's linux code.
Over the next few days (thank goodness for long weekends) I'll be hunting
down device drivers and adding hooks to gather entropy from many devices,
and adding the conf.c changes to the various port's device structs to
define major numbers for /dev/random and /dev/urandom.
thorpej