![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / kern
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.43.4.1 / (download) - annotate - [select for diffs], Fri Aug 11 14:35:25 2023 UTC (8 months ago) by martin
Branch: netbsd-10
CVS Tags: netbsd-10-0-RELEASE,
netbsd-10-0-RC6,
netbsd-10-0-RC5,
netbsd-10-0-RC4,
netbsd-10-0-RC3,
netbsd-10-0-RC2,
netbsd-10-0-RC1
Changes since 1.43: +35 -18
lines
Diff to previous 1.43 (colored) next main 1.44 (colored)
Pull up following revision(s) (requested by riastradh in ticket #319): sys/dev/pci/ubsec.c: revision 1.64 sys/dev/pci/hifn7751.c: revision 1.82 lib/libc/gen/getentropy.3: revision 1.5 lib/libc/gen/getentropy.3: revision 1.6 share/man/man4/rnd.4: revision 1.41 lib/libc/sys/getrandom.2: revision 1.2 lib/libc/sys/getrandom.2: revision 1.3 share/man/man5/rc.conf.5: revision 1.193 share/man/man7/entropy.7: revision 1.5 share/man/man7/entropy.7: revision 1.6 share/man/man7/entropy.7: revision 1.7 share/man/man7/entropy.7: revision 1.8 etc/security: revision 1.130 share/man/man7/entropy.7: revision 1.9 etc/security: revision 1.131 sys/crypto/cprng_fast/cprng_fast.c: revision 1.19 sys/sys/rndio.h: revision 1.3 tests/lib/libc/sys/t_getrandom.c: revision 1.5 etc/defaults/rc.conf: revision 1.164 etc/defaults/rc.conf: revision 1.165 sys/sys/rndsource.h: revision 1.10 sys/kern/kern_entropy.c: revision 1.62 sys/kern/kern_entropy.c: revision 1.63 sys/kern/kern_entropy.c: revision 1.64 sys/kern/subr_cprng.c: revision 1.44 sys/kern/kern_entropy.c: revision 1.65 sys/kern/kern_clock.c: revision 1.149 sys/dev/pci/viornd.c: revision 1.22 share/man/man9/rnd.9: revision 1.32 sys/kern/subr_prf.c: revision 1.202 sys/sys/rndsource.h: revision 1.8 sys/sys/rndsource.h: revision 1.9 share/man/man7/entropy.7: revision 1.10 1. Reinstate netbsd<=9 entropy estimator to unblock /dev/random, in parallel with assessment of only confident entropy sources (seed, HWRNG) for security warnings like sshd keys in motd and daily insecurity report. 2. Make multiuser boot wait for first /dev/random output soon after loading a seed and configuring rndctl, so that getentropy(3) meets its contract starting early at boot without introducing blocking paths that could cause hangs in init(8) or single-user mode. Operators can choose to disable this wait in rc.conf. 3. Fix some bugs left over from reducing the global entropy lock from a spin lock at IPL_VM to an adaptive lock at IPL_SOFTSERIAL. 4. Update man pages.
Revision 1.44 / (download) - annotate - [select for diffs], Sat Aug 5 11:21:24 2023 UTC (8 months, 1 week ago) by riastradh
Branch: MAIN
CVS Tags: thorpej-ifq-base,
thorpej-ifq,
thorpej-altq-separation-base,
thorpej-altq-separation,
HEAD
Changes since 1.43: +35 -18
lines
Diff to previous 1.43 (colored)
cprng(9): Drop and retake percpu reference across entropy_extract. entropy_extract may sleep on an adaptive lock, which invalidates percpu(9) references. Add a note in the comment over entropy_extract about this. Discovered by stumbling upon this panic during a test run: [ 1.0200050] panic: kernel diagnostic assertion "(cprng == percpu_getref(cprng_fast_percpu)) && (percpu_putref(cprng_fast_percpu), true)" failed: file "/home/riastradh/netbsd/current/src/sys/rump/librump/rumpkern/../../../crypto/cprng_fast/cprng_fast.c", line 117 XXX pullup-10
Revision 1.43 / (download) - annotate - [select for diffs], Fri May 13 09:40:25 2022 UTC (23 months ago) by riastradh
Branch: MAIN
CVS Tags: netbsd-10-base,
bouyer-sunxi-drm-base,
bouyer-sunxi-drm
Branch point for: netbsd-10
Changes since 1.42: +3 -3
lines
Diff to previous 1.42 (colored)
cprng(9): Fix accidental 4x seed size. With SHA-256, NIST Hash_DRBG takes an preferred 440-bit/55-byte seed. It's a weird number, and I'm not sure where it comes from (a quick skim of SP800-90A doesn't turn anything up), but it's certainly sufficient (256-bit/32-byte seed is almost certainly enough) so it's not a problem to use something larger; Hash_DRBG can absorb seeds of arbitrary lengths and larger seeds can't really hurt security (with minor caveats like HMAC RO quirks that don't apply here). Except -- owing to a typo, we actually used a 1760-bit/220-byte seed, because I wrote `uint32_t seed[...]' instead of `uint8_t seed[...]'. Again: not a problem to use a seed larger than needed. But let's draw no more than we need out of the entropy pool! Verified with CTASSERT(sizeof(seed) == 55). (Assertion omitted from this commit because we might swap out Hash_DRBG for something else with a different seed size like 32 bytes.)
Revision 1.42 / (download) - annotate - [select for diffs], Wed Mar 16 23:56:33 2022 UTC (2 years, 1 month ago) by riastradh
Branch: MAIN
Changes since 1.41: +10 -14
lines
Diff to previous 1.41 (colored)
cprng(9): Forbid use in hard interrupt context. May need access to the global entropy pool (infrequently). This way the global entropy pool lock can be lowered to IPL_SOFTSERIAL too, with a little additional work.
Revision 1.40.6.1 / (download) - annotate - [select for diffs], Sun Aug 1 22:42:38 2021 UTC (2 years, 8 months ago) by thorpej
Branch: thorpej-i2c-spi-conf
Changes since 1.40: +3 -2
lines
Diff to previous 1.40 (colored) next main 1.41 (colored)
Sync with HEAD.
Revision 1.41 / (download) - annotate - [select for diffs], Wed Jul 21 06:35:45 2021 UTC (2 years, 8 months ago) by skrll
Branch: MAIN
CVS Tags: thorpej-i2c-spi-conf2-base,
thorpej-i2c-spi-conf2,
thorpej-i2c-spi-conf-base,
thorpej-futex2-base,
thorpej-futex2,
thorpej-cfargs2-base,
thorpej-cfargs2
Changes since 1.40: +3 -2
lines
Diff to previous 1.40 (colored)
need <sys/param.h> for COHERENCY_UNIT Minor KNF along the way.
Revision 1.30.2.4 / (download) - annotate - [select for diffs], Mon May 18 18:57:31 2020 UTC (3 years, 10 months ago) by martin
Branch: netbsd-9
CVS Tags: netbsd-9-3-RELEASE,
netbsd-9-2-RELEASE,
netbsd-9-1-RELEASE
Changes since 1.30.2.3: +3 -3
lines
Diff to previous 1.30.2.3 (colored) to branchpoint 1.30 (colored) next main 1.31 (colored)
Pull up following revision(s) (requested by nia in ticket #914): sys/kern/subr_cprng.c: revision 1.37 (via patch, adapted) Make kern.arandom truncate the output instead of failing with ETOOBIG when the requested data exceeds 256 bytes in size. The actual size of the returned data is output to oldlenp. This matches FreeBSD's behaviour and seems to be more in line with what software in the wild expects. "sounds reasonble" - Riastradh
Revision 1.40 / (download) - annotate - [select for diffs], Mon May 11 21:40:12 2020 UTC (3 years, 11 months ago) by riastradh
Branch: MAIN
CVS Tags: thorpej-futex-base,
thorpej-futex,
thorpej-cfargs-base,
thorpej-cfargs,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x
Branch point for: thorpej-i2c-spi-conf
Changes since 1.39: +2 -25
lines
Diff to previous 1.39 (colored)
Remove cprng initialization order hack. cprng_init now runs early enough that the hack should no longer be needed to address PR port-arm32/55252.
Revision 1.39 / (download) - annotate - [select for diffs], Mon May 11 21:38:54 2020 UTC (3 years, 11 months ago) by riastradh
Branch: MAIN
Changes since 1.38: +7 -4
lines
Diff to previous 1.38 (colored)
Move cprng_init before configure. This makes it available to device drivers, e.g. to generate MAC addresses at random, without initialization order hacks. Requires a minor initialization hack for cpu_name(primary cpu) early on, since that doesn't get set until mi_cpu_attach which may not run until the middle of configure. But this hack is less bad than other initialization order hacks.
Revision 1.38 / (download) - annotate - [select for diffs], Mon May 11 17:27:48 2020 UTC (3 years, 11 months ago) by riastradh
Branch: MAIN
Changes since 1.37: +25 -2
lines
Diff to previous 1.37 (colored)
Work around early calls to cprng_strong. The bottleneck here is getting percpu_create to work early enough. We should really fix that, but for now, this workaround will serve. Should fix PR port-arm32/55252.
Revision 1.37 / (download) - annotate - [select for diffs], Thu Apr 30 17:36:06 2020 UTC (3 years, 11 months ago) by nia
Branch: MAIN
Changes since 1.36: +3 -3
lines
Diff to previous 1.36 (colored)
Make kern.arandom truncate the output instead of failing with ETOOBIG when the requested data exceeds 256 bytes in size. The actual size of the returned data is output to oldlenp. This matches FreeBSD's behaviour and seems to be more in line with what software in the wild expects. "sounds reasonble" - Riastradh
Revision 1.27.10.3 / (download) - annotate - [select for diffs], Thu Apr 30 15:35:57 2020 UTC (3 years, 11 months ago) by martin
Branch: netbsd-8
Changes since 1.27.10.2: +2 -48
lines
Diff to previous 1.27.10.2 (colored) to branchpoint 1.27 (colored) next main 1.28 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1543): sys/kern/subr_cprng.c: revision 1.34 Disable rngtest on output of cprng_strong. We already do a self-test for correctenss of Hash_DRBG output; applying rngtest to it does nothing but give everyone warning fatigue about spurious rngtest failures.
Revision 1.30.2.3 / (download) - annotate - [select for diffs], Thu Apr 30 15:34:06 2020 UTC (3 years, 11 months ago) by martin
Branch: netbsd-9
Changes since 1.30.2.2: +2 -48
lines
Diff to previous 1.30.2.2 (colored) to branchpoint 1.30 (colored)
Pull up following revision(s) (requested by riastradh in ticket #874): sys/kern/subr_cprng.c: revision 1.34 Disable rngtest on output of cprng_strong. We already do a self-test for correctenss of Hash_DRBG output; applying rngtest to it does nothing but give everyone warning fatigue about spurious rngtest failures.
Revision 1.36 / (download) - annotate - [select for diffs], Thu Apr 30 03:28:18 2020 UTC (3 years, 11 months ago) by riastradh
Branch: MAIN
Changes since 1.35: +230 -471
lines
Diff to previous 1.35 (colored)
Rewrite entropy subsystem.
Primary goals:
1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.
Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.
ENTROPY POOL
- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.
- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.
- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.
- Per-CPU gathering pools avoid contention on a global queue.
- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.
- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.
- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy
CPRNG_STRONG
- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.
(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)
- Event counters provide operator visibility into when reseeding
happens.
INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)
- Unwired for now; will be rewired in a subsequent commit.
Revision 1.29.4.2 / (download) - annotate - [select for diffs], Tue Apr 21 18:42:42 2020 UTC (3 years, 11 months ago) by martin
Branch: phil-wifi
Changes since 1.29.4.1: +16 -0
lines
Diff to previous 1.29.4.1 (colored) to branchpoint 1.29 (colored) next main 1.30 (colored)
Sync with HEAD
Revision 1.34.6.1 / (download) - annotate - [select for diffs], Mon Apr 20 11:29:10 2020 UTC (3 years, 11 months ago) by bouyer
Branch: bouyer-xenpvh
Changes since 1.34: +18 -2
lines
Diff to previous 1.34 (colored) next main 1.35 (colored)
Sync with HEAD
Revision 1.29.4.1 / (download) - annotate - [select for diffs], Mon Apr 13 08:05:04 2020 UTC (4 years ago) by martin
Branch: phil-wifi
Changes since 1.29: +48 -84
lines
Diff to previous 1.29 (colored)
Mostly merge changes from HEAD upto 20200411
Revision 1.35 / (download) - annotate - [select for diffs], Sun Apr 12 07:16:09 2020 UTC (4 years ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-20200421,
bouyer-xenpvh-base2,
bouyer-xenpvh-base1
Changes since 1.34: +18 -2
lines
Diff to previous 1.34 (colored)
Don't inline cprng_strong{32,64}(), so they can be called from asm.
Revision 1.34 / (download) - annotate - [select for diffs], Wed Dec 4 05:36:34 2019 UTC (4 years, 4 months ago) by riastradh
Branch: MAIN
CVS Tags: phil-wifi-20200411,
phil-wifi-20200406,
is-mlppp-base,
is-mlppp,
bouyer-xenpvh-base,
ad-namecache-base3,
ad-namecache-base2,
ad-namecache-base1,
ad-namecache-base,
ad-namecache
Branch point for: bouyer-xenpvh
Changes since 1.33: +2 -48
lines
Diff to previous 1.33 (colored)
Disable rngtest on output of cprng_strong. We already do a self-test for correctenss of Hash_DRBG output; applying rngtest to it does nothing but give everyone warning fatigue about spurious rngtest failures.
Revision 1.30.2.2 / (download) - annotate - [select for diffs], Mon Nov 25 17:00:22 2019 UTC (4 years, 4 months ago) by martin
Branch: netbsd-9
CVS Tags: netbsd-9-0-RELEASE,
netbsd-9-0-RC2,
netbsd-9-0-RC1
Changes since 1.30.2.1: +8 -5
lines
Diff to previous 1.30.2.1 (colored) to branchpoint 1.30 (colored)
Pull up following revision(s) (requested by riastradh in ticket #481): sys/kern/subr_cprng.c: revision 1.33 Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.27.10.2 / (download) - annotate - [select for diffs], Mon Nov 25 16:03:08 2019 UTC (4 years, 4 months ago) by martin
Branch: netbsd-8
CVS Tags: netbsd-8-2-RELEASE
Changes since 1.27.10.1: +8 -5
lines
Diff to previous 1.27.10.1 (colored) to branchpoint 1.27 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1459): sys/kern/subr_cprng.c: revision 1.33 Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.24.2.1.2.2 / (download) - annotate - [select for diffs], Mon Nov 25 15:48:40 2019 UTC (4 years, 4 months ago) by martin
Branch: netbsd-7-0
Changes since 1.24.2.1.2.1: +8 -5
lines
Diff to previous 1.24.2.1.2.1 (colored) to branchpoint 1.24.2.1 (colored) next main 1.24.2.2 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1714): sys/kern/subr_cprng.c: revision 1.33 Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.24.2.1.6.2 / (download) - annotate - [select for diffs], Mon Nov 25 15:47:44 2019 UTC (4 years, 4 months ago) by martin
Branch: netbsd-7-1
Changes since 1.24.2.1.6.1: +8 -5
lines
Diff to previous 1.24.2.1.6.1 (colored) to branchpoint 1.24.2.1 (colored) next main 1.24.2.2 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1714): sys/kern/subr_cprng.c: revision 1.33 Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.24.2.3 / (download) - annotate - [select for diffs], Mon Nov 25 15:46:39 2019 UTC (4 years, 4 months ago) by martin
Branch: netbsd-7
Changes since 1.24.2.2: +8 -5
lines
Diff to previous 1.24.2.2 (colored) to branchpoint 1.24 (colored) next main 1.25 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1714): sys/kern/subr_cprng.c: revision 1.33 Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.33 / (download) - annotate - [select for diffs], Mon Nov 25 15:19:54 2019 UTC (4 years, 4 months ago) by riastradh
Branch: MAIN
Changes since 1.32: +8 -5
lines
Diff to previous 1.32 (colored)
Use cprng_strong, not cprng_fast, for sysctl kern.arnd.
Revision 1.32 / (download) - annotate - [select for diffs], Sun Nov 17 12:32:31 2019 UTC (4 years, 4 months ago) by nia
Branch: MAIN
CVS Tags: phil-wifi-20191119
Changes since 1.31: +5 -4
lines
Diff to previous 1.31 (colored)
Update comment to reflect third-party software's usage of KERN_ARND. Changing it as the comment suggests would be a very terrible idea due to the common usage of this variable. Returning only 32 or 64 bits also seems to be the purpose of KERN_URND, so that functionality is already present.
Revision 1.24.2.1.2.1 / (download) - annotate - [select for diffs], Tue Sep 3 12:30:46 2019 UTC (4 years, 7 months ago) by martin
Branch: netbsd-7-0
Changes since 1.24.2.1: +42 -37
lines
Diff to previous 1.24.2.1 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
Revision 1.24.2.1.6.1 / (download) - annotate - [select for diffs], Tue Sep 3 12:28:31 2019 UTC (4 years, 7 months ago) by martin
Branch: netbsd-7-1
Changes since 1.24.2.1: +42 -37
lines
Diff to previous 1.24.2.1 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
Revision 1.24.2.2 / (download) - annotate - [select for diffs], Tue Sep 3 12:20:43 2019 UTC (4 years, 7 months ago) by martin
Branch: netbsd-7
Changes since 1.24.2.1: +42 -37
lines
Diff to previous 1.24.2.1 (colored) to branchpoint 1.24 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1705): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
Revision 1.27.10.1 / (download) - annotate - [select for diffs], Tue Sep 3 12:08:22 2019 UTC (4 years, 7 months ago) by martin
Branch: netbsd-8
Changes since 1.27: +42 -37
lines
Diff to previous 1.27 (colored)
Pull up following revision(s) (requested by riastradh in ticket #1365): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.13 - 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal cprng.h: use static __inline for consistency with other include headers and remove an unused function. - Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away...
Revision 1.30.2.1 / (download) - annotate - [select for diffs], Tue Sep 3 07:48:00 2019 UTC (4 years, 7 months ago) by martin
Branch: netbsd-9
Changes since 1.30: +42 -37
lines
Diff to previous 1.30 (colored)
Pull up following revision(s) (requested by riastradh in ticket #173): sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1 sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1 sys/rump/kern/lib/libcrypto/Makefile: revision 1.5 sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1 sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal sys/conf/files: revision 1.1238 sys/dev/rndpseudo.c: revision 1.38 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal sys/sys/cprng.h: revision 1.15 sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal sys/kern/subr_cprng.c: revision 1.31 sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... XXX pullup-7 XXX pullup-8 XXX pullup-9
Revision 1.31 / (download) - annotate - [select for diffs], Mon Sep 2 20:09:30 2019 UTC (4 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.30: +42 -37
lines
Diff to previous 1.30 (colored)
Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256. Benefits: - larger seeds -- a 128-bit key alone is not enough for `128-bit security' - better resistance to timing side channels than AES - a better-understood security story (https://eprint.iacr.org/2018/349) - no loss in compliance with US government standards that nobody ever got fired for choosing, at least in the US-dominated western world - no dirty endianness tricks - self-tests Drawbacks: - performance hit: throughput is reduced to about 1/3 in naive measurements => possible to mitigate by using hardware SHA-256 instructions => all you really need is 32 bytes to seed a userland PRNG anyway => if we just used ChaCha this would go away... XXX pullup-7 XXX pullup-8 XXX pullup-9
Revision 1.30 / (download) - annotate - [select for diffs], Wed Jul 10 17:32:37 2019 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
CVS Tags: netbsd-9-base
Branch point for: netbsd-9
Changes since 1.29: +3 -2
lines
Diff to previous 1.29 (colored)
Zero out 'cprng->cs_name' entirely. Otherwise the RND pool gets polluted by uninitialized bits from the end of the string.
Revision 1.5.2.9 / (download) - annotate - [select for diffs], Sat Mar 3 20:44:38 2018 UTC (6 years, 1 month ago) by snj
Branch: netbsd-6
Changes since 1.5.2.8: +4 -4
lines
Diff to previous 1.5.2.8 (colored) to branchpoint 1.5 (colored) next main 1.6 (colored)
Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random.
Revision 1.5.2.8.2.1 / (download) - annotate - [select for diffs], Sat Mar 3 20:44:35 2018 UTC (6 years, 1 month ago) by snj
Branch: netbsd-6-1
Changes since 1.5.2.8: +4 -4
lines
Diff to previous 1.5.2.8 (colored) next main 1.5.2.9 (colored)
Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random.
Revision 1.5.2.3.4.3 / (download) - annotate - [select for diffs], Sat Mar 3 20:44:33 2018 UTC (6 years, 1 month ago) by snj
Branch: netbsd-6-0
Changes since 1.5.2.3.4.2: +4 -4
lines
Diff to previous 1.5.2.3.4.2 (colored) to branchpoint 1.5.2.3 (colored) next main 1.5.2.4 (colored)
Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random.
Revision 1.12.2.5 / (download) - annotate - [select for diffs], Sun Dec 3 11:38:45 2017 UTC (6 years, 4 months ago) by jdolecek
Branch: tls-maxphys
Changes since 1.12.2.4: +63 -31
lines
Diff to previous 1.12.2.4 (colored) next main 1.13 (colored)
update from HEAD
Revision 1.29 / (download) - annotate - [select for diffs], Fri Dec 1 19:05:49 2017 UTC (6 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202,
phil-wifi-base,
phil-wifi-20190609,
pgoyette-compat-merge-20190127,
pgoyette-compat-base,
pgoyette-compat-20190127,
pgoyette-compat-20190118,
pgoyette-compat-1226,
pgoyette-compat-1126,
pgoyette-compat-1020,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625,
pgoyette-compat-0521,
pgoyette-compat-0502,
pgoyette-compat-0422,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315,
pgoyette-compat,
isaki-audio2-base,
isaki-audio2
Branch point for: phil-wifi
Changes since 1.28: +59 -32
lines
Diff to previous 1.28 (colored)
Allow attaching for write, but return no events.
Revision 1.28 / (download) - annotate - [select for diffs], Wed Oct 25 08:12:39 2017 UTC (6 years, 5 months ago) by maya
Branch: MAIN
Changes since 1.27: +8 -4
lines
Diff to previous 1.27 (colored)
Use C99 initializer for filterops
Mostly done with spatch with touchups for indentation
@@
expression a;
identifier b,c,d;
identifier p;
@@
const struct filterops p =
- { a, b, c, d
+ {
+ .f_isfd = a,
+ .f_attach = b,
+ .f_detach = c,
+ .f_event = d,
};
Revision 1.26.2.1 / (download) - annotate - [select for diffs], Sat Jun 6 14:40:22 2015 UTC (8 years, 10 months ago) by skrll
Branch: nick-nhusb
Changes since 1.26: +2 -3
lines
Diff to previous 1.26 (colored) next main 1.27 (colored)
Sync with HEAD
Revision 1.27 / (download) - annotate - [select for diffs], Mon Apr 13 22:43:41 2015 UTC (9 years ago) by riastradh
Branch: MAIN
CVS Tags: prg-localcount2-base3,
prg-localcount2-base2,
prg-localcount2-base1,
prg-localcount2-base,
prg-localcount2,
pgoyette-localcount-base,
pgoyette-localcount-20170426,
pgoyette-localcount-20170320,
pgoyette-localcount-20170107,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
pgoyette-localcount,
perseant-stdc-iso10646-base,
perseant-stdc-iso10646,
nick-nhusb-base-20170825,
nick-nhusb-base-20170204,
nick-nhusb-base-20161204,
nick-nhusb-base-20161004,
nick-nhusb-base-20160907,
nick-nhusb-base-20160529,
nick-nhusb-base-20160422,
nick-nhusb-base-20160319,
nick-nhusb-base-20151226,
nick-nhusb-base-20150921,
nick-nhusb-base-20150606,
netbsd-8-base,
netbsd-8-1-RELEASE,
netbsd-8-1-RC1,
netbsd-8-0-RELEASE,
netbsd-8-0-RC2,
netbsd-8-0-RC1,
matt-nb8-mediatek-base,
matt-nb8-mediatek,
localcount-20160914,
jdolecek-ncq-base,
jdolecek-ncq,
bouyer-socketcan-base1,
bouyer-socketcan-base,
bouyer-socketcan
Branch point for: netbsd-8
Changes since 1.26: +2 -3
lines
Diff to previous 1.26 (colored)
More rnd.h user cleanup.
Revision 1.26 / (download) - annotate - [select for diffs], Wed Nov 19 14:25:00 2014 UTC (9 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: nick-nhusb-base-20150406,
nick-nhusb-base
Branch point for: nick-nhusb
Changes since 1.25: +6 -6
lines
Diff to previous 1.25 (colored)
Change debug to diagnostic so that more people see the lossage with bad random streams, so we can debug it.
Revision 1.12.2.4 / (download) - annotate - [select for diffs], Wed Aug 20 00:04:29 2014 UTC (9 years, 7 months ago) by tls
Branch: tls-maxphys
Changes since 1.12.2.3: +459 -301
lines
Diff to previous 1.12.2.3 (colored)
Rebase to HEAD as of a few days ago.
Revision 1.24.2.1 / (download) - annotate - [select for diffs], Fri Aug 15 12:56:24 2014 UTC (9 years, 8 months ago) by martin
Branch: netbsd-7
CVS Tags: netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE
Branch point for: netbsd-7-1,
netbsd-7-0
Changes since 1.24: +4 -2
lines
Diff to previous 1.24 (colored)
Pull up following revision(s) (requested by riastradh in ticket #22): sys/kern/subr_cprng.c: revision 1.25 Lock cprng->cs_lock around rndsink_request to avoid race with callback.
Revision 1.25 / (download) - annotate - [select for diffs], Thu Aug 14 16:28:30 2014 UTC (9 years, 8 months ago) by riastradh
Branch: MAIN
Changes since 1.24: +2 -0
lines
Diff to previous 1.24 (colored)
Lock cprng->cs_lock around rndsink_request to avoid race with callback.
Revision 1.24 / (download) - annotate - [select for diffs], Sun Aug 10 16:44:36 2014 UTC (9 years, 8 months ago) by tls
Branch: MAIN
CVS Tags: tls-maxphys-base,
netbsd-7-base
Branch point for: netbsd-7
Changes since 1.23: +31 -32
lines
Diff to previous 1.23 (colored)
Merge tls-earlyentropy branch into HEAD.
Revision 1.23.2.2 / (download) - annotate - [select for diffs], Sat Aug 9 06:19:50 2014 UTC (9 years, 8 months ago) by tls
Branch: tls-earlyentropy
Changes since 1.23.2.1: +3 -164
lines
Diff to previous 1.23.2.1 (colored) to branchpoint 1.23 (colored) next main 1.24 (colored)
Replace "ccrand" ChaCha implementation of cprng_fast with Taylor's smaller and somewhat simpler one. Fix rump builds so we can build a distribution.
Revision 1.23.2.1 / (download) - annotate - [select for diffs], Thu Jul 17 14:03:33 2014 UTC (9 years, 9 months ago) by tls
Branch: tls-earlyentropy
Changes since 1.23: +189 -29
lines
Diff to previous 1.23 (colored)
Adjustments to the "earlyentropy" branch in response to the various discussions beginning with my initial proposal http://mail-index.netbsd.org/tech-kern/2014/04/08/msg016876.html and particularly the long discussion of cprng_fast() performance (e.g. https://mail-index.netbsd.org/tech-crypto/2014/04/21/msg000642.html). In particular: * Per-CPU, lockless cprng_fast replacement using Dennis Ferguson's "ccrand" implementation of ChaCha8. * libkern arc4random() is gone, gone, gone. * Entropy estimator reverted to 32-bit recordkeeping and timestamps per Dennis' comments and analysis. * LZF entropy estimator removed: it required a great deal of state, and rejected only truly pathological input. I have not yet reverted the changes that provide LZF in the kernel as generic functionality; I will likely revert those changes prior to any merge of this branch to HEAD.
Revision 1.7.2.6 / (download) - annotate - [select for diffs], Thu May 22 11:41:03 2014 UTC (9 years, 10 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.7.2.5: +452 -270
lines
Diff to previous 1.7.2.5 (colored) to branchpoint 1.7 (colored) next main 1.8 (colored)
sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
Revision 1.20.2.2 / (download) - annotate - [select for diffs], Sun May 18 17:46:07 2014 UTC (9 years, 11 months ago) by rmind
Branch: rmind-smpnet
Changes since 1.20.2.1: +95 -2
lines
Diff to previous 1.20.2.1 (colored) next main 1.21 (colored)
sync with head
Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 17 02:12:48 2014 UTC (10 years, 3 months ago) by pooka
Branch: MAIN
CVS Tags: yamt-pagecache-base9,
tls-earlyentropy-base,
rmind-smpnet-nbase,
rmind-smpnet-base,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3
Branch point for: tls-earlyentropy
Changes since 1.22: +95 -2
lines
Diff to previous 1.22 (colored)
Put cprng sysctls into subr_cprng.c. Also, make sysctl_prng static in subr_cprng and get rid of SYSCTL_PRIVATE namespace leak macro. Fixes ping(8) when run against a standalone rump kernel due to appearance of the kern.urandom sysctl node (in case someone was wondering ...)
Revision 1.20.2.1 / (download) - annotate - [select for diffs], Wed Aug 28 23:59:35 2013 UTC (10 years, 7 months ago) by rmind
Branch: rmind-smpnet
Changes since 1.20: +33 -21
lines
Diff to previous 1.20 (colored)
sync with head
Revision 1.22 / (download) - annotate - [select for diffs], Sat Jul 27 11:19:09 2013 UTC (10 years, 8 months ago) by skrll
Branch: MAIN
Changes since 1.21: +3 -3
lines
Diff to previous 1.21 (colored)
Fix KASSERT to avoid assumptions about ipl order. XXX Temporary measure?
Revision 1.21 / (download) - annotate - [select for diffs], Mon Jul 1 15:22:00 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
CVS Tags: riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2
Changes since 1.20: +32 -20
lines
Diff to previous 1.20 (colored)
Fix races in /dev/u?random initialization and accounting. - Push /dev/random `information-theoretic' accounting into cprng(9). - Use percpu(9) for the per-CPU CPRNGs. - Use atomics with correct memory barriers for lazy CPRNG creation. - Remove /dev/random file kmem grovelling from fstat(1).
Revision 1.20 / (download) - annotate - [select for diffs], Mon Jun 24 04:21:20 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
Branch point for: rmind-smpnet
Changes since 1.19: +6 -6
lines
Diff to previous 1.19 (colored)
Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset. consttime_memequal is the same as the old consttime_bcmp. explicit_memset is to memset as explicit_bzero was to bcmp. Passes amd64 release and i386/ALL, but I'm sure I missed some spots, so please let me know.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Jun 24 00:56:21 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
Changes since 1.18: +3 -2
lines
Diff to previous 1.18 (colored)
Include <sys/lwp.h> for curlwp.
Revision 1.12.2.3 / (download) - annotate - [select for diffs], Sun Jun 23 06:18:58 2013 UTC (10 years, 9 months ago) by tls
Branch: tls-maxphys
Changes since 1.12.2.2: +17 -8
lines
Diff to previous 1.12.2.2 (colored)
resync from head
Revision 1.18 / (download) - annotate - [select for diffs], Sun Jun 23 02:35:24 2013 UTC (10 years, 9 months ago) by riastradh
Branch: MAIN
Changes since 1.17: +349 -296
lines
Diff to previous 1.17 (colored)
Rework rndsink(9) abstraction and adapt arc4random(9) and cprng(9). rndsink(9): - Simplify API. - Simplify locking scheme. - Add a man page. - Avoid races in destruction. - Avoid races in requesting entropy now and scheduling entropy later. Periodic distribution of entropy to sinks reduces the need for the last one, but this way we don't need to rely on periodic distribution (e.g., in a future tickless NetBSD). rndsinks_lock should probably eventually merge with the rndpool lock, but we'll put that off for now. cprng(9): - Make struct cprng_strong opaque. - Move rndpseudo.c parts that futz with cprng guts to subr_cprng.c. - Fix kevent locking. (Is kevent locking documented anywhere?) - Stub out rump cprng further until we can rumpify rndsink instead. - Strip code to grovel through struct cprng_strong in fstat.
Revision 1.17 / (download) - annotate - [select for diffs], Thu Jun 13 00:55:01 2013 UTC (10 years, 10 months ago) by tls
Branch: MAIN
Changes since 1.16: +13 -4
lines
Diff to previous 1.16 (colored)
Convert the entropy pool framework from pseudo-callout-driven to soft interrupt driven operation. Add a polling mode of operation -- now we can ask hardware random number generators to top us up just when we need it (bcm2835_rng and amdpm converted as examples). Fix a stall noticed with repeated reads from /dev/random while testing.
Revision 1.5.2.3.4.2 / (download) - annotate - [select for diffs], Fri Mar 29 00:46:58 2013 UTC (11 years ago) by msaitoh
Branch: netbsd-6-0
CVS Tags: netbsd-6-0-6-RELEASE,
netbsd-6-0-5-RELEASE,
netbsd-6-0-4-RELEASE,
netbsd-6-0-3-RELEASE,
netbsd-6-0-2-RELEASE
Changes since 1.5.2.3.4.1: +4 -4
lines
Diff to previous 1.5.2.3.4.1 (colored) to branchpoint 1.5.2.3 (colored)
Pull up following revision(s) (requested by tls in ticket #859): sys/kern/subr_cprng.c: revision 1.16 Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be.
Revision 1.5.2.8 / (download) - annotate - [select for diffs], Fri Mar 29 00:44:28 2013 UTC (11 years ago) by msaitoh
Branch: netbsd-6
CVS Tags: netbsd-6-1-RELEASE,
netbsd-6-1-RC4,
netbsd-6-1-RC3,
netbsd-6-1-5-RELEASE,
netbsd-6-1-4-RELEASE,
netbsd-6-1-3-RELEASE,
netbsd-6-1-2-RELEASE,
netbsd-6-1-1-RELEASE
Branch point for: netbsd-6-1
Changes since 1.5.2.7: +4 -4
lines
Diff to previous 1.5.2.7 (colored) to branchpoint 1.5 (colored)
Pull up following revision(s) (requested by tls in ticket #859): sys/kern/subr_cprng.c: revision 1.16 Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be.
Revision 1.16 / (download) - annotate - [select for diffs], Thu Mar 28 18:06:48 2013 UTC (11 years ago) by tls
Branch: MAIN
CVS Tags: khorben-n900
Changes since 1.15: +6 -6
lines
Diff to previous 1.15 (colored)
Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag backwards, in low-entropy conditions there was a time interval in which /dev/urandom could still output bits on an unacceptably short key. Output from /dev/random was *NOT* impacted. Eliminate the flag in question -- it's safest to always fill the requested key buffer with output from the entropy-pool, even if we let the caller know we couldn't provide bytes with the full entropy it requested. Advisory will be updated soon with a full worst-case analysis of the /dev/urandom output path in the presence of either variant of the SA-2013-003 bug. Fortunately, because a large amount of other input is mixed in before users can obtain any output, it doesn't look as dangerous in practice as I'd feared it might be.
Revision 1.12.2.2 / (download) - annotate - [select for diffs], Mon Feb 25 00:29:53 2013 UTC (11 years, 1 month ago) by tls
Branch: tls-maxphys
Changes since 1.12.2.1: +23 -9
lines
Diff to previous 1.12.2.1 (colored)
resync with head
Revision 1.5.2.3.4.1 / (download) - annotate - [select for diffs], Sat Jan 26 21:36:10 2013 UTC (11 years, 2 months ago) by bouyer
Branch: netbsd-6-0
Changes since 1.5.2.3: +22 -8
lines
Diff to previous 1.5.2.3 (colored)
Pull up following revision(s) (requested by tls in ticket #800): sys/kern/subr_cprng.c: revision 1.15 Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy.
Revision 1.5.2.7 / (download) - annotate - [select for diffs], Sat Jan 26 21:35:23 2013 UTC (11 years, 2 months ago) by bouyer
Branch: netbsd-6
CVS Tags: netbsd-6-1-RC2,
netbsd-6-1-RC1
Changes since 1.5.2.6: +22 -8
lines
Diff to previous 1.5.2.6 (colored) to branchpoint 1.5 (colored)
Pull up following revision(s) (requested by tls in ticket #800): sys/kern/subr_cprng.c: revision 1.15 Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy.
Revision 1.15 / (download) - annotate - [select for diffs], Sat Jan 26 16:05:34 2013 UTC (11 years, 2 months ago) by tls
Branch: MAIN
CVS Tags: agc-symver-base,
agc-symver
Changes since 1.14: +22 -8
lines
Diff to previous 1.14 (colored)
Fix a security issue: when we are reseeding a PRNG seeded early in boot before we had ever had any entropy, if something else has consumed the entropy that triggered the immediate reseed, we can reseed with as little as sizeof(int) bytes of entropy.
Revision 1.7.2.5 / (download) - annotate - [select for diffs], Wed Jan 16 05:33:44 2013 UTC (11 years, 3 months ago) by yamt
Branch: yamt-pagecache
CVS Tags: yamt-pagecache-tag8
Changes since 1.7.2.4: +3 -3
lines
Diff to previous 1.7.2.4 (colored) to branchpoint 1.7 (colored)
sync with (a bit old) head
Revision 1.5.2.6 / (download) - annotate - [select for diffs], Sat Nov 24 20:58:00 2012 UTC (11 years, 4 months ago) by jdc
Branch: netbsd-6
Changes since 1.5.2.5: +3 -3
lines
Diff to previous 1.5.2.5 (colored) to branchpoint 1.5 (colored)
Pull up revision 1.14 (requested by msaitoh in ticket #714). Pass correct wait channel string.
Revision 1.14 / (download) - annotate - [select for diffs], Tue Nov 20 11:06:27 2012 UTC (11 years, 4 months ago) by msaitoh
Branch: MAIN
CVS Tags: yamt-pagecache-base8,
yamt-pagecache-base7
Changes since 1.13: +3 -3
lines
Diff to previous 1.13 (colored)
Pass correct wait channel string.
Revision 1.12.2.1 / (download) - annotate - [select for diffs], Tue Nov 20 03:02:43 2012 UTC (11 years, 4 months ago) by tls
Branch: tls-maxphys
Changes since 1.12: +4 -4
lines
Diff to previous 1.12 (colored)
Resync to 2012-11-19 00:00:00 UTC
Revision 1.5.2.5 / (download) - annotate - [select for diffs], Wed Oct 31 17:30:21 2012 UTC (11 years, 5 months ago) by riz
Branch: netbsd-6
Changes since 1.5.2.4: +4 -3
lines
Diff to previous 1.5.2.4 (colored) to branchpoint 1.5 (colored)
Pull up following revision(s) (requested by msaitoh in ticket #644): sys/netinet/tcp_subr.c: revision 1.248 sys/kern/subr_cprng.c: revision 1.12 Fix a bug that kmem_alloc() is called from the interrupt context.
Revision 1.7.2.4 / (download) - annotate - [select for diffs], Tue Oct 30 17:22:33 2012 UTC (11 years, 5 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.7.2.3: +14 -6
lines
Diff to previous 1.7.2.3 (colored) to branchpoint 1.7 (colored)
sync with head
Revision 1.13 / (download) - annotate - [select for diffs], Sat Oct 27 17:34:07 2012 UTC (11 years, 5 months ago) by matt
Branch: MAIN
CVS Tags: yamt-pagecache-base6
Changes since 1.12: +4 -4
lines
Diff to previous 1.12 (colored)
Use kmem_intr_alloc/kmem_intr_free
Revision 1.5.2.4 / (download) - annotate - [select for diffs], Wed Oct 17 21:27:12 2012 UTC (11 years, 6 months ago) by riz
Branch: netbsd-6
Changes since 1.5.2.3: +10 -3
lines
Diff to previous 1.5.2.3 (colored) to branchpoint 1.5 (colored)
Pull up following revision(s) (requested by tls in ticket #558): sys/sys/rnd.h: revision 1.33 sys/kern/subr_cprng.c: revision 1.10 sys/kern/kern_rndq.c: revision 1.4 sys/kern/subr_cprng.c: revision 1.11 sys/kern/kern_rndq.c: revision 1.5 Try to help embedded systems a _little_ bit: stir in the system boot time as early as possible. On systems with no cycle counter (or very very predictable cycle counts early in boot) at least this will cause some difference across boots. Don't wait until the pool *fills* to rekey anything that was keyed with insufficient entropy at boot: key it as soon as it makes any request after we hit the minimum entropy threshold. This too should help avoid predictable output at boot time. Fix kern/46911: note that we rekeyed the cprng so we don't keep doing so.
Revision 1.12 / (download) - annotate - [select for diffs], Sat Sep 8 02:58:13 2012 UTC (11 years, 7 months ago) by msaitoh
Branch: MAIN
Branch point for: tls-maxphys
Changes since 1.11: +4 -3
lines
Diff to previous 1.11 (colored)
Fix a bug that kmem_alloc() is called from the interrupt context.
Revision 1.11 / (download) - annotate - [select for diffs], Fri Sep 7 02:42:13 2012 UTC (11 years, 7 months ago) by tls
Branch: MAIN
Changes since 1.10: +3 -2
lines
Diff to previous 1.10 (colored)
Fix kern/46911: note that we rekeyed the cprng so we don't keep doing so.
Revision 1.10 / (download) - annotate - [select for diffs], Wed Sep 5 18:57:34 2012 UTC (11 years, 7 months ago) by tls
Branch: MAIN
Changes since 1.9: +9 -3
lines
Diff to previous 1.9 (colored)
Don't wait until the pool *fills* to rekey anything that was keyed with insufficient entropy at boot: key it as soon as it makes any request after we hit the minimum entropy threshold. This too should help avoid predictable output at boot time.
Revision 1.4.2.3 / (download) - annotate - [select for diffs], Sat Jun 2 11:09:33 2012 UTC (11 years, 10 months ago) by mrg
Branch: jmcneill-usbmp
Changes since 1.4.2.2: +29 -17
lines
Diff to previous 1.4.2.2 (colored) to branchpoint 1.4 (colored) next main 1.5 (colored)
sync to latest -current.
Revision 1.7.2.3 / (download) - annotate - [select for diffs], Wed May 23 10:08:11 2012 UTC (11 years, 10 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.7.2.2: +99 -45
lines
Diff to previous 1.7.2.2 (colored) to branchpoint 1.7 (colored)
sync with head.
Revision 1.5.2.3 / (download) - annotate - [select for diffs], Mon May 21 16:49:54 2012 UTC (11 years, 10 months ago) by jdc
Branch: netbsd-6
CVS Tags: netbsd-6-0-RELEASE,
netbsd-6-0-RC2,
netbsd-6-0-RC1,
netbsd-6-0-1-RELEASE,
matt-nb6-plus-nbase,
matt-nb6-plus-base,
matt-nb6-plus
Branch point for: netbsd-6-0
Changes since 1.5.2.2: +29 -17
lines
Diff to previous 1.5.2.2 (colored) to branchpoint 1.5 (colored)
Pull up: revision 1.10 src/sys/dev/rndpseudo.c revision 1.9 src/sys/kern/subr_cprng.c (requested by tls in ticket 273). Fix two problems that could cause /dev/random to not wake up readers when entropy became available.
Revision 1.9 / (download) - annotate - [select for diffs], Sat May 19 16:00:41 2012 UTC (11 years, 11 months ago) by tls
Branch: MAIN
CVS Tags: yamt-pagecache-base5,
jmcneill-usbmp-base10
Changes since 1.8: +29 -17
lines
Diff to previous 1.8 (colored)
Fix two problems that could cause /dev/random to not wake up readers when entropy became available.
Revision 1.4.2.2 / (download) - annotate - [select for diffs], Sun Apr 29 23:05:05 2012 UTC (11 years, 11 months ago) by mrg
Branch: jmcneill-usbmp
Changes since 1.4.2.1: +81 -30
lines
Diff to previous 1.4.2.1 (colored) to branchpoint 1.4 (colored)
sync to latest -current.
Revision 1.5.2.2 / (download) - annotate - [select for diffs], Fri Apr 20 23:35:20 2012 UTC (11 years, 11 months ago) by riz
Branch: netbsd-6
Changes since 1.5.2.1: +72 -30
lines
Diff to previous 1.5.2.1 (colored) to branchpoint 1.5 (colored)
Pull up following revision(s) (requested by tls in ticket #190): sys/sys/rnd.h: revision 1.31 sys/sys/rnd.h: revision 1.32 sys/sys/cprng.h: revision 1.5 sys/kern/subr_cprng.c: revision 1.8 share/man/man4/rnd.4: revision 1.19 sys/kern/kern_rndq.c: revision 1.3 sys/dev/rndpseudo.c: revision 1.8 sys/dev/rndpseudo.c: revision 1.9 sys/kern/kern_rndpool.c: revision 1.2 Address multiple problems with rnd(4)/cprng(9): 1) Add a per-cpu CPRNG to handle short reads from /dev/urandom so that programs like perl don't drain the entropy pool dry by repeatedly opening, reading 4 bytes, closing. 2) Really fix the locking around reseeds and destroys. 3) Fix the opportunistic-reseed strategy so it actually works, reseeding existing RNGs once each (as they are used, so idle RNGs don't get reseeded) until the pool is half empty or newly full again. Fix a bug and a compilation problem. Bug: spin mutexes don't have owners, so KASSERT(!mutex_owned()) shouldn't be used to assert that the current LWP does not have the mutex. Compilation problem: explicitly include sys/mutex.h from rnd.h so evbarm builds again.
Revision 1.5.2.1 / (download) - annotate - [select for diffs], Thu Apr 19 19:59:10 2012 UTC (11 years, 11 months ago) by riz
Branch: netbsd-6
Changes since 1.5: +13 -4
lines
Diff to previous 1.5 (colored)
Pull up following revision(s) (requested by tls in ticket #185): sys/kern/subr_cprng.c: revision 1.6 sys/kern/subr_cprng.c: revision 1.7 sys/lib/libkern/arc4random.c: revision 1.32 sys/kern/kern_rndq.c: revision 1.2 sys/dev/rndpseudo.c: revision 1.7 sys/sys/rnd.h: revision 1.30 Add a spin mutex to the rndsink structure; it is used to avoid lock ordering and sleep-holding-locks problems when rekeying, and thus to avoid a nasty race between cprng destruction and reseeding. Fix LOCKDEBUG problems pointed out by drochner@ 1) Lock ordering in cprng_strong_destroy had us take a spin mutex then an adaptive mutex. Can't do that. Reordering this requires changing cprng_strong_reseed to tryenter the cprng's own mutex and skip the reseed on failure, or we could deadlock. 2) Can't free memory with a valid mutex in it. reorder initialization to improve error handling in case the system runs out of file descriptors, avoids LOCKDEBUG panic due to double mutex initialization
Revision 1.8 / (download) - annotate - [select for diffs], Tue Apr 17 02:50:39 2012 UTC (12 years ago) by tls
Branch: MAIN
CVS Tags: jmcneill-usbmp-base9
Changes since 1.7: +72 -30
lines
Diff to previous 1.7 (colored)
Address multiple problems with rnd(4)/cprng(9): 1) Add a per-cpu CPRNG to handle short reads from /dev/urandom so that programs like perl don't drain the entropy pool dry by repeatedly opening, reading 4 bytes, closing. 2) Really fix the locking around reseeds and destroys. 3) Fix the opportunistic-reseed strategy so it actually works, reseeding existing RNGs once each (as they are used, so idle RNGs don't get reseeded) until the pool is half empty or newly full again.
Revision 1.7.2.2 / (download) - annotate - [select for diffs], Tue Apr 17 00:08:27 2012 UTC (12 years ago) by yamt
Branch: yamt-pagecache
Changes since 1.7.2.1: +328 -0
lines
Diff to previous 1.7.2.1 (colored) to branchpoint 1.7 (colored)
sync with head
Revision 1.7.2.1, Tue Apr 10 15:12:40 2012 UTC (12 years ago) by yamt
Branch: yamt-pagecache
Changes since 1.7: +0 -328
lines
FILE REMOVED
file subr_cprng.c was added on branch yamt-pagecache on 2012-04-17 00:08:27 +0000
Revision 1.7 / (download) - annotate - [select for diffs], Tue Apr 10 15:12:40 2012 UTC (12 years ago) by tls
Branch: MAIN
CVS Tags: yamt-pagecache-base4
Branch point for: yamt-pagecache
Changes since 1.6: +8 -4
lines
Diff to previous 1.6 (colored)
Fix LOCKDEBUG problems pointed out by drochner@ 1) Lock ordering in cprng_strong_destroy had us take a spin mutex then an adaptive mutex. Can't do that. Reordering this requires changing cprng_strong_reseed to tryenter the cprng's own mutex and skip the reseed on failure, or we could deadlock. 2) Can't free memory with a valid mutex in it.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Apr 10 14:02:28 2012 UTC (12 years ago) by tls
Branch: MAIN
Changes since 1.5: +8 -3
lines
Diff to previous 1.5 (colored)
Add a spin mutex to the rndsink structure; it is used to avoid lock ordering and sleep-holding-locks problems when rekeying, and thus to avoid a nasty race between cprng destruction and reseeding.
Revision 1.4.2.1 / (download) - annotate - [select for diffs], Sat Feb 18 07:35:32 2012 UTC (12 years, 2 months ago) by mrg
Branch: jmcneill-usbmp
Changes since 1.4: +77 -66
lines
Diff to previous 1.4 (colored)
merge to -current.
Revision 1.5 / (download) - annotate - [select for diffs], Sat Dec 17 20:05:39 2011 UTC (12 years, 4 months ago) by tls
Branch: MAIN
CVS Tags: netbsd-6-base,
jmcneill-usbmp-base8,
jmcneill-usbmp-base7,
jmcneill-usbmp-base6,
jmcneill-usbmp-base5,
jmcneill-usbmp-base4,
jmcneill-usbmp-base3,
jmcneill-usbmp-base2
Branch point for: netbsd-6
Changes since 1.4: +77 -66
lines
Diff to previous 1.4 (colored)
Separate /dev/random pseudodevice implemenation from kernel entropy pool implementation. Rewrite pseudodevice code to use cprng_strong(9). The new pseudodevice is cloning, so each caller gets bits from a stream generated with its own key. Users of /dev/urandom get their generators keyed on a "best effort" basis -- the kernel will rekey generators whenever the entropy pool hits the high water mark -- while users of /dev/random get their generators rekeyed every time key-length bits are output. The underlying cprng_strong API can use AES-256 or AES-128, but we use AES-128 because of concerns about related-key attacks on AES-256. This improves performance (and reduces entropy pool depletion) significantly for users of /dev/urandom but does cause users of /dev/random to rekey twice as often. Also fixes various bugs (including some missing locking and a reseed-counter overflow in the CTR_DRBG code) found while testing this. For long reads, this generator is approximately 20 times as fast as the old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of 2.5MB/sec) and also uses a separate mutex per instance so concurrency is greatly improved. For reads of typical key sizes for modern cryptosystems (16-32 bytes) performance is about the same as the old code: a little better for 32 bytes, a little worse for 16 bytes.
Revision 1.4 / (download) - annotate - [select for diffs], Tue Nov 29 21:48:22 2011 UTC (12 years, 4 months ago) by njoly
Branch: MAIN
CVS Tags: jmcneill-usbmp-pre-base2,
jmcneill-usbmp-base
Branch point for: jmcneill-usbmp
Changes since 1.3: +3 -3
lines
Diff to previous 1.3 (colored)
One semicolon is enough.
Revision 1.3 / (download) - annotate - [select for diffs], Tue Nov 29 03:50:31 2011 UTC (12 years, 4 months ago) by tls
Branch: MAIN
Changes since 1.2: +3 -2
lines
Diff to previous 1.2 (colored)
Remove rnd_extract_data from the public kernel API (it is for use by the stream generators only). Clean up some related minor issues.
Revision 1.2 / (download) - annotate - [select for diffs], Mon Nov 21 13:44:38 2011 UTC (12 years, 4 months ago) by tsutsui
Branch: MAIN
Changes since 1.1: +4 -2
lines
Diff to previous 1.1 (colored)
Include MD <machine/cpu_counter.h> only if defined(__HAVE_CPU_COUNTER). XXX: Why not timecounter(9) but deprecated cpu_counter32() and microtime(9)?
Revision 1.1 / (download) - annotate - [select for diffs], Sat Nov 19 22:51:25 2011 UTC (12 years, 4 months ago) by tls
Branch: MAIN
First step of random number subsystem rework described in <20111022023242.BA26F14A158@mail.netbsd.org>. This change includes the following: An initial cleanup and minor reorganization of the entropy pool code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are fixed. Some effort is made to accumulate entropy more quickly at boot time. A generic interface, "rndsink", is added, for stream generators to request that they be re-keyed with good quality entropy from the pool as soon as it is available. The arc4random()/arc4randbytes() implementation in libkern is adjusted to use the rndsink interface for rekeying, which helps address the problem of low-quality keys at boot time. An implementation of the FIPS 140-2 statistical tests for random number generator quality is provided (libkern/rngtest.c). This is based on Greg Rose's implementation from Qualcomm. A new random stream generator, nist_ctr_drbg, is provided. It is based on an implementation of the NIST SP800-90 CTR_DRBG by Henric Jungheim. This generator users AES in a modified counter mode to generate a backtracking-resistant random stream. An abstraction layer, "cprng", is provided for in-kernel consumers of randomness. The arc4random/arc4randbytes API is deprecated for in-kernel use. It is replaced by "cprng_strong". The current cprng_fast implementation wraps the existing arc4random implementation. The current cprng_strong implementation wraps the new CTR_DRBG implementation. Both interfaces are rekeyed from the entropy pool automatically at intervals justifiable from best current cryptographic practice. In some quick tests, cprng_fast() is about the same speed as the old arc4randbytes(), and cprng_strong() is about 20% faster than rnd_extract_data(). Performance is expected to improve. The AES code in src/crypto/rijndael is no longer an optional kernel component, as it is required by cprng_strong, which is not an optional kernel component. The entropy pool output is subjected to the rngtest tests at startup time; if it fails, the system will reboot. There is approximately a 3/10000 chance of a false positive from these tests. Entropy pool _input_ from hardware random numbers is subjected to the rngtest tests at attach time, as well as the FIPS continuous-output test, to detect bad or stuck hardware RNGs; if any are detected, they are detached, but the system continues to run. A problem with rndctl(8) is fixed -- datastructures with pointers in arrays are no longer passed to userspace (this was not a security problem, but rather a major issue for compat32). A new kernel will require a new rndctl. The sysctl kern.arandom() and kern.urandom() nodes are hooked up to the new generators, but the /dev/*random pseudodevices are not, yet. Manual pages for the new kernel interfaces are forthcoming.