#
71c9a541 |
| 14-Apr-2015 |
riastradh <riastradh@NetBSD.org> |
Include <sys/rndsource.h> where it is actually used.
I had removed <sys/rnd.h> from files that didn't mention anything of the rnd(9) API. But they included other files which assumed <sys/rnd.h> had
Include <sys/rndsource.h> where it is actually used.
I had removed <sys/rnd.h> from files that didn't mention anything of the rnd(9) API. But they included other files which assumed <sys/rnd.h> had already been included.
show more ...
|
#
cc9ee3de |
| 02-Feb-2012 |
tls <tls@NetBSD.org> |
Entropy-pool implementation move and cleanup.
1) Move core entropy-pool code and source/sink/sample management code to sys/kern from sys/dev.
2) Remove use of NRND as test for presence of entrop
Entropy-pool implementation move and cleanup.
1) Move core entropy-pool code and source/sink/sample management code to sys/kern from sys/dev.
2) Remove use of NRND as test for presence of entropy-pool code throughout source tree.
3) Remove use of RND_ENABLED in device drivers as microoptimization to avoid expensive operations on disabled entropy sources; make the rnd_add calls do this directly so all callers benefit.
4) Fix bug in recent rnd_add_data()/rnd_add_uint32() changes that might have lead to slight entropy overestimation for some sources.
5) Add new source types for environmental sensors, power sensors, VM system events, and skew between clocks, with a sample implementation for each.
ok releng to go in before the branch due to the difficulty of later pullup (widespread #ifdef removal and moved files). Tested with release builds on amd64 and evbarm and live testing on amd64.
show more ...
|
#
8e933452 |
| 19-Nov-2011 |
tls <tls@NetBSD.org> |
First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entro
First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following:
An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time.
A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run.
A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
show more ...
|