The NetBSD Project

CVS log for src/sys/kern/subr_cprng.c

[BACK] Up to [] / src / sys / kern

Request diff between arbitrary revisions

Default branch: MAIN
Current tag: MAIN

Revision 1.31 / (download) - annotate - [select for diffs], Mon Sep 2 20:09:30 2019 UTC (7 weeks ago) by riastradh
Branch: MAIN
Changes since 1.30: +42 -37 lines
Diff to previous 1.30 (unified)

Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.


- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (
- no loss in compliance with US government standards that nobody ever
  got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests


- performance hit: throughput is reduced to about 1/3 in naive measurements
  => possible to mitigate by using hardware SHA-256 instructions
  => all you really need is 32 bytes to seed a userland PRNG anyway
  => if we just used ChaCha this would go away...

XXX pullup-7
XXX pullup-8
XXX pullup-9

Revision 1.30 / (download) - annotate - [select for diffs], Wed Jul 10 17:32:37 2019 UTC (3 months, 1 week ago) by maxv
Branch: MAIN
CVS Tags: netbsd-9-base
Branch point for: netbsd-9
Changes since 1.29: +3 -2 lines
Diff to previous 1.29 (unified)

Zero out 'cprng->cs_name' entirely. Otherwise the RND pool gets polluted
by uninitialized bits from the end of the string.

Revision 1.29 / (download) - annotate - [select for diffs], Fri Dec 1 19:05:49 2017 UTC (22 months, 2 weeks ago) by christos
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202, phil-wifi-base, phil-wifi-20190609, phil-wifi, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, isaki-audio2-base, isaki-audio2
Changes since 1.28: +59 -32 lines
Diff to previous 1.28 (unified)

Allow attaching for write, but return no events.

Revision 1.28 / (download) - annotate - [select for diffs], Wed Oct 25 08:12:39 2017 UTC (23 months, 3 weeks ago) by maya
Branch: MAIN
Changes since 1.27: +8 -4 lines
Diff to previous 1.27 (unified)

Use C99 initializer for filterops

Mostly done with spatch with touchups for indentation

expression a;
identifier b,c,d;
identifier p;
const struct filterops p =
- 	{ a, b, c, d
+ 	{
+ 	.f_isfd = a,
+ 	.f_attach = b,
+ 	.f_detach = c,
+ 	.f_event = d,

Revision 1.27 / (download) - annotate - [select for diffs], Mon Apr 13 22:43:41 2015 UTC (4 years, 6 months ago) by riastradh
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, pgoyette-localcount-base, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, pgoyette-localcount, perseant-stdc-iso10646-base, perseant-stdc-iso10646, nick-nhusb-base-20170825, nick-nhusb-base-20170204, nick-nhusb-base-20161204, nick-nhusb-base-20161004, nick-nhusb-base-20160907, nick-nhusb-base-20160529, nick-nhusb-base-20160422, nick-nhusb-base-20160319, nick-nhusb-base-20151226, nick-nhusb-base-20150921, nick-nhusb-base-20150606, netbsd-8-base, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, matt-nb8-mediatek-base, matt-nb8-mediatek, localcount-20160914, jdolecek-ncq-base, jdolecek-ncq, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Branch point for: netbsd-8
Changes since 1.26: +2 -3 lines
Diff to previous 1.26 (unified)

More rnd.h user cleanup.

Revision 1.26 / (download) - annotate - [select for diffs], Wed Nov 19 14:25:00 2014 UTC (4 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: nick-nhusb-base-20150406, nick-nhusb-base
Branch point for: nick-nhusb
Changes since 1.25: +6 -6 lines
Diff to previous 1.25 (unified)

Change debug to diagnostic so that more people see the lossage with bad
random streams, so we can debug it.

Revision 1.25 / (download) - annotate - [select for diffs], Thu Aug 14 16:28:30 2014 UTC (5 years, 2 months ago) by riastradh
Branch: MAIN
Changes since 1.24: +2 -0 lines
Diff to previous 1.24 (unified)

Lock cprng->cs_lock around rndsink_request to avoid race with callback.

Revision 1.24 / (download) - annotate - [select for diffs], Sun Aug 10 16:44:36 2014 UTC (5 years, 2 months ago) by tls
Branch: MAIN
CVS Tags: tls-maxphys-base, netbsd-7-base
Branch point for: netbsd-7
Changes since 1.23: +31 -32 lines
Diff to previous 1.23 (unified)

Merge tls-earlyentropy branch into HEAD.

Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 17 02:12:48 2014 UTC (5 years, 9 months ago) by pooka
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-earlyentropy-base, rmind-smpnet-nbase, rmind-smpnet-base, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3
Branch point for: tls-earlyentropy
Changes since 1.22: +95 -2 lines
Diff to previous 1.22 (unified)

Put cprng sysctls into subr_cprng.c.  Also, make sysctl_prng static
in subr_cprng and get rid of SYSCTL_PRIVATE namespace leak macro.

Fixes ping(8) when run against a standalone rump kernel due to appearance
of the kern.urandom sysctl node (in case someone was wondering ...)

Revision 1.22 / (download) - annotate - [select for diffs], Sat Jul 27 11:19:09 2013 UTC (6 years, 2 months ago) by skrll
Branch: MAIN
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (unified)

Fix KASSERT to avoid assumptions about ipl order.

XXX Temporary measure?

Revision 1.21 / (download) - annotate - [select for diffs], Mon Jul 1 15:22:00 2013 UTC (6 years, 3 months ago) by riastradh
Branch: MAIN
CVS Tags: riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2
Changes since 1.20: +32 -20 lines
Diff to previous 1.20 (unified)

Fix races in /dev/u?random initialization and accounting.

- Push /dev/random `information-theoretic' accounting into cprng(9).
- Use percpu(9) for the per-CPU CPRNGs.
- Use atomics with correct memory barriers for lazy CPRNG creation.
- Remove /dev/random file kmem grovelling from fstat(1).

Revision 1.20 / (download) - annotate - [select for diffs], Mon Jun 24 04:21:20 2013 UTC (6 years, 3 months ago) by riastradh
Branch: MAIN
Branch point for: rmind-smpnet
Changes since 1.19: +6 -6 lines
Diff to previous 1.19 (unified)

Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.

consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.

Revision 1.19 / (download) - annotate - [select for diffs], Mon Jun 24 00:56:21 2013 UTC (6 years, 3 months ago) by riastradh
Branch: MAIN
Changes since 1.18: +3 -2 lines
Diff to previous 1.18 (unified)

Include <sys/lwp.h> for curlwp.

Revision 1.18 / (download) - annotate - [select for diffs], Sun Jun 23 02:35:24 2013 UTC (6 years, 4 months ago) by riastradh
Branch: MAIN
Changes since 1.17: +349 -296 lines
Diff to previous 1.17 (unified)

Rework rndsink(9) abstraction and adapt arc4random(9) and cprng(9).

- Simplify API.
- Simplify locking scheme.
- Add a man page.
- Avoid races in destruction.
- Avoid races in requesting entropy now and scheduling entropy later.

Periodic distribution of entropy to sinks reduces the need for the
last one, but this way we don't need to rely on periodic distribution
(e.g., in a future tickless NetBSD).

rndsinks_lock should probably eventually merge with the rndpool lock,
but we'll put that off for now.

- Make struct cprng_strong opaque.
- Move rndpseudo.c parts that futz with cprng guts to subr_cprng.c.
- Fix kevent locking.  (Is kevent locking documented anywhere?)
- Stub out rump cprng further until we can rumpify rndsink instead.
- Strip code to grovel through struct cprng_strong in fstat.

Revision 1.17 / (download) - annotate - [select for diffs], Thu Jun 13 00:55:01 2013 UTC (6 years, 4 months ago) by tls
Branch: MAIN
Changes since 1.16: +13 -4 lines
Diff to previous 1.16 (unified)

Convert the entropy pool framework from pseudo-callout-driven to
soft interrupt driven operation.

Add a polling mode of operation -- now we can ask hardware random number
generators to top us up just when we need it (bcm2835_rng and amdpm
converted as examples).

Fix a stall noticed with repeated reads from /dev/random while testing.

Revision 1.16 / (download) - annotate - [select for diffs], Thu Mar 28 18:06:48 2013 UTC (6 years, 6 months ago) by tls
Branch: MAIN
CVS Tags: khorben-n900
Changes since 1.15: +6 -6 lines
Diff to previous 1.15 (unified)

Re-fix 'fix' for SA-2013-003.  Because the original fix evaluated a flag
backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key.  Output
from /dev/random was *NOT* impacted.

Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.

Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug.  Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.

Revision 1.15 / (download) - annotate - [select for diffs], Sat Jan 26 16:05:34 2013 UTC (6 years, 8 months ago) by tls
Branch: MAIN
CVS Tags: agc-symver-base, agc-symver
Changes since 1.14: +22 -8 lines
Diff to previous 1.14 (unified)

Fix a security issue: when we are reseeding a PRNG seeded early in boot
before we had ever had any entropy, if something else has consumed the
entropy that triggered the immediate reseed, we can reseed with as little
as sizeof(int) bytes of entropy.

Revision 1.14 / (download) - annotate - [select for diffs], Tue Nov 20 11:06:27 2012 UTC (6 years, 11 months ago) by msaitoh
Branch: MAIN
CVS Tags: yamt-pagecache-base8, yamt-pagecache-base7
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (unified)

Pass correct wait channel string.

Revision 1.13 / (download) - annotate - [select for diffs], Sat Oct 27 17:34:07 2012 UTC (6 years, 11 months ago) by matt
Branch: MAIN
CVS Tags: yamt-pagecache-base6
Changes since 1.12: +4 -4 lines
Diff to previous 1.12 (unified)

Use kmem_intr_alloc/kmem_intr_free

Revision 1.12 / (download) - annotate - [select for diffs], Sat Sep 8 02:58:13 2012 UTC (7 years, 1 month ago) by msaitoh
Branch: MAIN
Branch point for: tls-maxphys
Changes since 1.11: +4 -3 lines
Diff to previous 1.11 (unified)

Fix a bug that kmem_alloc() is called from the interrupt context.

Revision 1.11 / (download) - annotate - [select for diffs], Fri Sep 7 02:42:13 2012 UTC (7 years, 1 month ago) by tls
Branch: MAIN
Changes since 1.10: +3 -2 lines
Diff to previous 1.10 (unified)

Fix kern/46911: note that we rekeyed the cprng so we don't keep doing so.

Revision 1.10 / (download) - annotate - [select for diffs], Wed Sep 5 18:57:34 2012 UTC (7 years, 1 month ago) by tls
Branch: MAIN
Changes since 1.9: +9 -3 lines
Diff to previous 1.9 (unified)

Don't wait until the pool *fills* to rekey anything that was keyed with
insufficient entropy at boot: key it as soon as it makes any request after
we hit the minimum entropy threshold.

This too should help avoid predictable output at boot time.

Revision 1.9 / (download) - annotate - [select for diffs], Sat May 19 16:00:41 2012 UTC (7 years, 5 months ago) by tls
Branch: MAIN
CVS Tags: yamt-pagecache-base5, jmcneill-usbmp-base10
Changes since 1.8: +29 -17 lines
Diff to previous 1.8 (unified)

Fix two problems that could cause /dev/random to not wake up readers when entropy became available.

Revision 1.8 / (download) - annotate - [select for diffs], Tue Apr 17 02:50:39 2012 UTC (7 years, 6 months ago) by tls
Branch: MAIN
CVS Tags: jmcneill-usbmp-base9
Changes since 1.7: +72 -30 lines
Diff to previous 1.7 (unified)

Address multiple problems with rnd(4)/cprng(9):

1) Add a per-cpu CPRNG to handle short reads from /dev/urandom so that
   programs like perl don't drain the entropy pool dry by repeatedly
   opening, reading 4 bytes, closing.

2) Really fix the locking around reseeds and destroys.

3) Fix the opportunistic-reseed strategy so it actually works, reseeding
   existing RNGs once each (as they are used, so idle RNGs don't get
   reseeded) until the pool is half empty or newly full again.

Revision 1.7 / (download) - annotate - [select for diffs], Tue Apr 10 15:12:40 2012 UTC (7 years, 6 months ago) by tls
Branch: MAIN
CVS Tags: yamt-pagecache-base4
Branch point for: yamt-pagecache
Changes since 1.6: +8 -4 lines
Diff to previous 1.6 (unified)

Fix LOCKDEBUG problems pointed out by drochner@

1) Lock ordering in cprng_strong_destroy had us take a spin mutex then
   an adaptive mutex.  Can't do that.  Reordering this requires changing
   cprng_strong_reseed to tryenter the cprng's own mutex and skip the
   reseed on failure, or we could deadlock.

2) Can't free memory with a valid mutex in it.

Revision 1.6 / (download) - annotate - [select for diffs], Tue Apr 10 14:02:28 2012 UTC (7 years, 6 months ago) by tls
Branch: MAIN
Changes since 1.5: +8 -3 lines
Diff to previous 1.5 (unified)

Add a spin mutex to the rndsink structure; it is used to avoid lock
ordering and sleep-holding-locks problems when rekeying, and thus
to avoid a nasty race between cprng destruction and reseeding.

Revision 1.5 / (download) - annotate - [select for diffs], Sat Dec 17 20:05:39 2011 UTC (7 years, 10 months ago) by tls
Branch: MAIN
CVS Tags: netbsd-6-base, jmcneill-usbmp-base8, jmcneill-usbmp-base7, jmcneill-usbmp-base6, jmcneill-usbmp-base5, jmcneill-usbmp-base4, jmcneill-usbmp-base3, jmcneill-usbmp-base2
Branch point for: netbsd-6
Changes since 1.4: +77 -66 lines
Diff to previous 1.4 (unified)

Separate /dev/random pseudodevice implemenation from kernel entropy pool
implementation.  Rewrite pseudodevice code to use cprng_strong(9).

The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key.  Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.

The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256.  This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.

Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.

For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved.  For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.

Revision 1.4 / (download) - annotate - [select for diffs], Tue Nov 29 21:48:22 2011 UTC (7 years, 10 months ago) by njoly
Branch: MAIN
CVS Tags: jmcneill-usbmp-pre-base2, jmcneill-usbmp-base
Branch point for: jmcneill-usbmp
Changes since 1.3: +3 -3 lines
Diff to previous 1.3 (unified)

One semicolon is enough.

Revision 1.3 / (download) - annotate - [select for diffs], Tue Nov 29 03:50:31 2011 UTC (7 years, 10 months ago) by tls
Branch: MAIN
Changes since 1.2: +3 -2 lines
Diff to previous 1.2 (unified)

Remove rnd_extract_data from the public kernel API (it is for use by the
stream generators only).  Clean up some related minor issues.

Revision 1.2 / (download) - annotate - [select for diffs], Mon Nov 21 13:44:38 2011 UTC (7 years, 11 months ago) by tsutsui
Branch: MAIN
Changes since 1.1: +4 -2 lines
Diff to previous 1.1 (unified)

Include MD <machine/cpu_counter.h> only if defined(__HAVE_CPU_COUNTER).

XXX: Why not timecounter(9) but deprecated cpu_counter32() and microtime(9)?

Revision 1.1 / (download) - annotate - [select for diffs], Sat Nov 19 22:51:25 2011 UTC (7 years, 11 months ago) by tls
Branch: MAIN

First step of random number subsystem rework described in
<>.  This change includes
the following:

	An initial cleanup and minor reorganization of the entropy pool
	code in sys/dev/rnd.c and sys/dev/rndpool.c.  Several bugs are
	fixed.  Some effort is made to accumulate entropy more quickly at
	boot time.

	A generic interface, "rndsink", is added, for stream generators to
	request that they be re-keyed with good quality entropy from the pool
	as soon as it is available.

	The arc4random()/arc4randbytes() implementation in libkern is
	adjusted to use the rndsink interface for rekeying, which helps
	address the problem of low-quality keys at boot time.

	An implementation of the FIPS 140-2 statistical tests for random
	number generator quality is provided (libkern/rngtest.c).  This
	is based on Greg Rose's implementation from Qualcomm.

	A new random stream generator, nist_ctr_drbg, is provided.  It is
	based on an implementation of the NIST SP800-90 CTR_DRBG by
	Henric Jungheim.  This generator users AES in a modified counter
	mode to generate a backtracking-resistant random stream.

	An abstraction layer, "cprng", is provided for in-kernel consumers
	of randomness.  The arc4random/arc4randbytes API is deprecated for
	in-kernel use.  It is replaced by "cprng_strong".  The current
	cprng_fast implementation wraps the existing arc4random
	implementation.  The current cprng_strong implementation wraps the
	new CTR_DRBG implementation.  Both interfaces are rekeyed from
	the entropy pool automatically at intervals justifiable from best
	current cryptographic practice.

	In some quick tests, cprng_fast() is about the same speed as
	the old arc4randbytes(), and cprng_strong() is about 20% faster
	than rnd_extract_data().  Performance is expected to improve.

	The AES code in src/crypto/rijndael is no longer an optional
	kernel component, as it is required by cprng_strong, which is
	not an optional kernel component.

	The entropy pool output is subjected to the rngtest tests at
	startup time; if it fails, the system will reboot.  There is
	approximately a 3/10000 chance of a false positive from these
	tests.  Entropy pool _input_ from hardware random numbers is
	subjected to the rngtest tests at attach time, as well as the
	FIPS continuous-output test, to detect bad or stuck hardware
	RNGs; if any are detected, they are detached, but the system
	continues to run.

	A problem with rndctl(8) is fixed -- datastructures with
	pointers in arrays are no longer passed to userspace (this
	was not a security problem, but rather a major issue for
	compat32).  A new kernel will require a new rndctl.

	The sysctl kern.arandom() and kern.urandom() nodes are hooked
	up to the new generators, but the /dev/*random pseudodevices
	are not, yet.

	Manual pages for the new kernel interfaces are forthcoming.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

CVSweb <>