Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
repository, don't attempt to install it, and don't expect it to
be installed. If a better fix is to return 02-dump, then this
change can be reverted (by anyone, just go ahead and do it).
dhcpcd(8) should also have mention of 02-dump removed, if removing
it was intentional.
on the OpenBSD single-port XR21V1410 uxrcom driver, but adds support
for multi-port chipsets and uses the common umodem framework instead of
being a standalone driver.
Thanks to skrll@ for much USB clue and mrg@ for financing the
development of this driver.
/netbsd/modules respectively instead of /netbsd and
/stand/<arch>/<version>/modules. This is only supported for x86,
and is turned off by default. To try it, add KERNEL_DIR=yes in your
/mk.conf and install a system from that build.
- Modify the writing code to only write entries in the new
format for the terminal descriptions that require it.
- Store new format entries as <name>@v3
- Store old format entries with clamped values as <name> for
backwards compatibility
- Lookup first <name>@v3 and then <name> if that is not found.
- Don't create terminfo2 anymore; old programs keep working with
clamped entries, and new programs be able to use the wide
fields with using the original db file.
While here also document (but comment it out since it isn't
available - yet) strerror_lr(). To include that, simply
uncomment the relevant lines, and (twice I think) s/returns/return/
on lines just after currently commented out lines (that is, it
currently says, "A returns" after the comments are returned, we
need it to be "A and B return" - the "and B" appears when the comment
markers are removed, removing the 's' from returns must be done manually.
In addition to adding strerror_l() some additional enhancements were
made to the general strerror() doc.
No mouse support actually included.
But that doesn't matter because most terms don't actually support a mouse.
We should look into hooking these into wsmouse(4) and xterm mouse
in the future.
Compatable with nCurses mouse API version 2.
POSIX mandates implementations must support upto a short but may exceed it.
When NetBSD terminfo was implemented, no terminfo description used over
a short, but because ncurses has supported ints for some time, some now do.
Infact, such a terminfo description was imported where colour pairs for
screen-256color went up to 65536 which exposed a bug in the existing
implementation where it set to zero. Because the number might mean
something more than a range, we need to be able to store it accurately.
This requires a version bump because whilst the API hasn't changed thanks
to C int promotion, the ABI has. Also the underlying database structure
has changed as well - we now store the numeric paramter inside a uint32_t
field rather than a uint16_t one.
Whilst this change can still read the old style database, the old one
cannot read the new one and thus we now maintain the database as
terminfo2.cdb, leaving the old library and database alone so old programs
still work fine.
libcurses, libfrom, libmenu and libpanel have also been bumped to
accomoate this change.
