Commit Graph

98 Commits

Author SHA1 Message Date
tls
6e1dd068e9 Separate /dev/random pseudodevice implemenation from kernel entropy pool
implementation.  Rewrite pseudodevice code to use cprng_strong(9).

The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key.  Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.

The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256.  This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.

Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.

For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved.  For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.
2011-12-17 20:05:38 +00:00
macallan
19166a6288 NIST_CTR_DRBG.V is accessed as (unsigned long *) so we need to make sure
it's aligned accordingly or we go boom on sparc64
2011-11-21 23:48:52 +00:00
tls
3afd44cf08 First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.
2011-11-19 22:51:18 +00:00
jmmv
9b52d4003a Revert my previous change. christos@ submitted a different fix pretty much
at the same time.  Did an update amd64 release build to ensure my change was
really not needed.
2011-05-14 16:46:55 +00:00
jmmv
d899efcf6e Declare for-loop control variable outside of the for statement to prevent
a warning and therefore fix the build.
2011-05-14 16:27:49 +00:00
christos
018b374686 - don't assume aligned buffers.
- little KNF
2011-05-14 01:59:19 +00:00
drochner
9d083d2f9c add "camellia" crypto code, copied from FreeBSD 2011-05-05 17:38:35 +00:00
pooka
4d79e8c53d Apply const where necessary (XXX: where is bf_locl.org?) 2009-06-30 13:14:40 +00:00
dsl
02cdf4d2c8 Remove all the __P() from sys (excluding sys/dist)
Diff checked with grep and MK1 eyeball.
i386 and amd64 GENERIC and sys still build.
2009-03-14 14:45:51 +00:00
lukem
6ec6d598ac use __KERNEL_RCSID() 2007-12-11 23:31:07 +00:00
lukem
06d6cbc0d9 use __KERNEL_RCSID() 2007-12-11 23:13:57 +00:00
cbiere
f5b684cf56 Added missing const-qualifiers. 2007-01-22 01:38:33 +00:00
cbiere
6d8f729825 Added const-qualifiers. 2007-01-21 23:00:08 +00:00
christos
31a62606ea Merge kernel and userland rmd160 and sha2 implementation.
XXX: We still install rmd160.h and sha2.h in /usr/include/crypto, unlike
the other hash functions which get installed in /usr/include for compatibility.
2006-10-27 21:20:48 +00:00
christos
78c43e9064 static comes first 2006-09-03 05:22:36 +00:00
mrg
084c052803 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
elad
e0d3e1c5ea RMD160_DIGEST_STRING_LENGTH is 41, including the terminating NUL. 2005-09-24 21:31:53 +00:00
elad
b6c7f93fa8 Install rmd160.h to /usr/include/crypto. 2005-09-24 18:34:59 +00:00
elad
ad7f55858f RMD160File() gets const char *, add RMD160FileChunk(). 2005-09-24 18:12:35 +00:00
elad
138b399207 Define RMD160_DIGEST_STRING_LENGTH. 2005-09-24 17:39:15 +00:00
elad
45b120e04b Lint warnings. 2005-09-11 16:11:22 +00:00
elad
7bdf56d9b6 Remove stuff inside #if 0, remove __P macro usage, add helper routines
prototypes inside #ifndef _KERNEL.
2005-08-23 16:23:50 +00:00
elad
935cb376b9 Make this usable both in kernel and userland. 2005-08-22 15:33:08 +00:00
elad
4bbe952358 Install sha2.h to /usr/include/crypto. 2005-08-20 15:42:03 +00:00
tron
f84cd33e5f Remove unused functions SHA*_End() and SHA*_Data(). 2005-07-21 15:42:41 +00:00
martin
1ec429dfd5 Constify, to make it compile (at least).
XXX - I'm not sure with what args this is called, but my bet is that
there is no chance this code will work on alignment requiring archs.
2005-06-03 11:31:57 +00:00
christos
87de4cecc4 add a missing const 2005-05-31 00:43:56 +00:00
christos
0a86a6b05d sprinkle const 2005-05-30 04:13:14 +00:00
christos
362a4a0bd5 Yes, it was a cool trick >20 years ago to use "0123456789abcdef"[a] to
implement, xtoa(), but I think defining the samestring 50 times is a bit
too much. Defined HEXDIGITS and hexdigits in subr_prf.c and use it...
2005-05-17 04:14:57 +00:00
blymn
77b4424bf0 Make resultant hash length a symbolic define so other code can reuse the
same define.
2005-04-19 14:05:53 +00:00
perry
477853c351 nuke trailing whitespace 2005-02-26 22:58:54 +00:00
keihan
6979203302 s/netbsd.org/NetBSD.org/g 2003-11-28 08:56:48 +00:00
tls
1f93975cf8 Move the Skipjack algorithm from sys/opencrypto to sys/crypto/skipjack.
There are now no cryptographic algorithms in sys/opencrypto, which,
according to the comment formerly in files.opencrypto, was the original
intent.
2003-11-16 12:07:50 +00:00
itojun
1e4d96a37f bzero() 2nd arg mistake. found by openbsd guys, via kame 2003-09-04 00:11:49 +00:00
itojun
467deb61ca rijndael-api-fst.h is not needed 2003-08-28 08:38:19 +00:00
thorpej
d5d0a860bc Add missing RCS ID. 2003-08-27 14:49:44 +00:00
itojun
725b73043b simplify rijndael.c API - always schedule encrypt/decrypt key.
reviewed by thorpej
2003-08-27 14:23:25 +00:00
tron
710886efc2 Fix build problem caused by adding "const", remove "register" usage. 2003-08-27 12:17:18 +00:00
itojun
000061139d typo 2003-08-27 03:35:35 +00:00
itojun
880bf51285 check and panic if key with wrong dir is passed 2003-08-27 02:44:19 +00:00
thorpej
e77423d998 * Const poison, ANSI'ify, like newer OpenSSL Blowfish code.
* Add a BF_ecb_encrypt(), which makes for a prettier interface than
  using BF_encrypt()/BF_decrypt() directly.
2003-08-26 23:51:12 +00:00
thorpej
850a45bf66 const an array. 2003-08-26 20:15:13 +00:00
thorpej
e6430e4cf8 Const poison, use ANSI-style. 2003-08-26 20:12:22 +00:00
thorpej
793bc7ea32 Take a couple more opportunities to const poison. 2003-08-26 20:07:59 +00:00
thorpej
2d241878c0 Const poison. 2003-08-26 19:58:36 +00:00
thorpej
6de9ce0437 Move the opencrypto CAST-128 implementation to crypto/cast128, removing
the old one.  Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
2003-08-26 16:37:36 +00:00
thorpej
aa6632baa6 G/C opencrypto's local copy of rijndael. Adapt the extant rijndael
code for opencrypto's use by adding the simplified API that opencrypto
expects.
2003-08-26 14:24:05 +00:00
thorpej
633cb7d73e Make opencrypto depend on the "ripemd160" and "sha2" attributes, rather
than polluting the crypto algorithm config info with opencrypto knowledge.
2003-08-24 19:26:54 +00:00
elric
73d81f8b40 Ensure that the IV is aligned for strict alignment machines. 2003-08-18 02:36:17 +00:00