Commit Graph

17 Commits

Author SHA1 Message Date
kardel de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
perry 0f0296d88a Remove leading __ from __(const|inline|signed|volatile) -- it is obsolete. 2005-12-24 20:45:08 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
perry 477853c351 nuke trailing whitespace 2005-02-26 22:58:54 +00:00
enami 41122731c8 Redo part of rev. 1.10. 2004-09-17 21:54:28 +00:00
yamt 64308e90f3 arc4random: fix a bug introduced by rev.1.7.
actually generate four bytes random value, rather than
leaving a byte always zero.
2004-09-08 04:06:15 +00:00
itojun cc76a8982b fix build for bootloaders (no /usr/include/sys/kernel.h any more). 2003-10-02 10:39:27 +00:00
itojun 1403d9d920 KNF 2003-08-20 13:32:33 +00:00
dan 73390e7e36 let this compile in the non KERNEL case without NRND. 2002-10-06 13:42:36 +00:00
tls 0f95ec4fd5 ESP output was drawing down the entropy pool at a ferocious rate, a
particular problem on hosts with only wireless interfaces that are
definitely not safe to use as entropy sources.

Add arc4randbytes() which hands out bytes from the same source used
by arc4random().  This is intended to be a _temporary_ interface
until we can design and implement a better general PRNG interface
that is decoupled from the entropy-pool implementation.

Modify key_randomfill() (used only for initialization vectors on
SA creation and via key_sa_stir_iv(), which does not "stir",
despite its name) to use arc4randbytes() instead of pulling bits
directly from the entropy pool.  It is my hope that this change
will pose minimal integration problems for the KAME folks as the
random-pool interface is *already* different between each BSD
variant; this just simplifies the NetBSD case and solves a
fairly serious problem.

Note that it is generally considered acceptable cryptographic
practice to use a fast stream cipher to generate IVs for encryption
with stronger block ciphers.  For example, the use of "non-Approved"
PRNGs to generate IVs for "Approved" block ciphers is explicitly
sanctioned by FIPS 140-2.
2002-10-06 08:51:44 +00:00
tls cd114adca5 This commit includes two major changes:
1) Speed up arc4random().  We make arc4randbyte() inline, which makes this
   not much slower than, say, the other arc4 implementation in our kernel.

   We also replace four calls to arc4randbyte() with a loop, saving about
   20% on some processors where the "unrolled" arc4randbyte() calls would
   needlessly stomp the cache.

2) Address various problems with the initialization/"stirring" code,
   primarily in the area of handling of the source data from the kernel
   entropy pool.  We used to:

	a) Ask the entropy pool for 32 bytes

	b) If we got zero bytes, key with junk from the stack (ouch!)
	   which has some nasty implications, to say the least.  For
	   example, we're most likely to get zero bytes at boot time,
	   when the stack contents are even more predictable than usual.

	c) If we got less than 32 bytes but more than zero bytes, use
	   however many bytes we got as the arc4 key, copying it
	   repeatedly as per usual arc4 key setup.

	   Because of the way NetBSD's entropy pool works, this was
	   mostly harmless, because if you ask for RND_EXTRACT_ANY,
	   you always get as many bytes as you ask for.  However,
	   this is probably a security hole in the original FreeBSD
	   code, where AFAICT you might end up using an 8-bit arc4
	   key -- not good, much worse than using the output of the
	   entropy pool hash function even when it thinks it only
	   has 8 bits of entropy to give you.

	   One thing this code could do on NetBSD that was not so
	   good was to replace a key with a lot of entropy with
	   one with less entropy.  That's clearly counterproductive.

   The new code, instead:

	a) Asks for 32 good bytes.  If it gets them, use them as the
	   arc4 key in the usual way.

	b) Tracks how many entropy bytes the key it's replacing had.
	   If the new entropy request got less bytes, leave the old
	   key in place.  Note that the first time through, the "old
	   key" had zero bytes, so we'll always replace it.

	c) If we get less then 32 bytes but more than we had, request
	   EXTRACT_ANY bytes from the entropy pool, padding the key
	   out to 32 bytes which we then use as the arc4 key in the
	   usual way.

This is still really all rather backwards.  Instead of this generator
deciding to rekey itself using a basically arbitrary metric, it should
register a callback so that the entropy pool code could rekey it when
a lot of bits were available.  Details at 11.

Finally, rename the "stir" function (which did not stir) to "rekey",
which is what it actually does.
2002-10-06 06:47:40 +00:00
itojun df6ef6d0d3 include rnd.h only under kernel build.
caveat: arc4random() will not get stirred in bootstrap code.
2002-10-04 07:33:26 +00:00
itojun dfea6e4344 add missing "rnd.h" include - noted by simonb 2002-10-04 02:37:23 +00:00
itojun c3e57df04c discard 256 bytes of output every time we stir (not just when initializing) 2002-06-14 03:05:46 +00:00
itojun c0e2bb0509 need libkern.h for bootloaders 2002-05-29 06:27:15 +00:00
itojun 2e926ba699 no need for libkern.h 2002-05-28 12:21:22 +00:00
itojun 0ac289dea9 have arc4random(9). 2002-05-28 10:09:24 +00:00