#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256381 |
|
12-Oct-2013 |
markm |
Merge from project branch via main. Uninteresting commits are trimmed.
Refactor of /dev/random device. Main points include:
* Userland seeding is no longer used. This auto-seeds at boot time on PC/Desktop setups; this may need some tweeking and intelligence from those folks setting up embedded boxes, but the work is believed to be minimal.
* An entropy cache is written to /entropy (even during installation) and the kernel uses this at next boot.
* An entropy file written to /boot/entropy can be loaded by loader(8)
* Hardware sources such as rdrand are fed into Yarrow, and are no longer available raw.
------------------------------------------------------------------------ r256240 | des | 2013-10-09 21:14:16 +0100 (Wed, 09 Oct 2013) | 4 lines
Add a RANDOM_RWFILE option and hide the entropy cache code behind it. Rename YARROW_RNG and FORTUNA_RNG to RANDOM_YARROW and RANDOM_FORTUNA. Add the RANDOM_* options to LINT.
------------------------------------------------------------------------ r256239 | des | 2013-10-09 21:12:59 +0100 (Wed, 09 Oct 2013) | 2 lines
Define RANDOM_PURE_RNDTEST for rndtest(4).
------------------------------------------------------------------------ r256204 | des | 2013-10-09 18:51:38 +0100 (Wed, 09 Oct 2013) | 2 lines
staticize struct random_hardware_source
------------------------------------------------------------------------ r256203 | markm | 2013-10-09 18:50:36 +0100 (Wed, 09 Oct 2013) | 2 lines
Wrap some policy-rich code in 'if NOTYET' until we can thresh out what it really needs to do.
------------------------------------------------------------------------ r256184 | des | 2013-10-09 10:13:12 +0100 (Wed, 09 Oct 2013) | 2 lines
Re-add /dev/urandom for compatibility purposes.
------------------------------------------------------------------------ r256182 | des | 2013-10-09 10:11:14 +0100 (Wed, 09 Oct 2013) | 3 lines
Add missing include guards and move the existing ones out of the implementation namespace.
------------------------------------------------------------------------ r256168 | markm | 2013-10-08 23:14:07 +0100 (Tue, 08 Oct 2013) | 10 lines
Fix some just-noticed problems:
o Allow this to work with "nodevice random" by fixing where the MALLOC pool is defined.
o Fix the explicit reseed code. This was correct as submitted, but in the project branch doesn't need to set the "seeded" bit as this is done correctly in the "unblock" function.
o Remove some debug ifdeffing.
o Adjust comments.
------------------------------------------------------------------------ r256159 | markm | 2013-10-08 19:48:11 +0100 (Tue, 08 Oct 2013) | 6 lines
Time to eat crow for me.
I replaced the sx_* locks that Arthur used with regular mutexes; this turned out the be the wrong thing to do as the locks need to be sleepable. Revert this folly.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (In original diff)
------------------------------------------------------------------------ r256138 | des | 2013-10-08 12:05:26 +0100 (Tue, 08 Oct 2013) | 10 lines
Add YARROW_RNG and FORTUNA_RNG to sys/conf/options.
Add a SYSINIT that forces a reseed during proc0 setup, which happens fairly late in the boot process.
Add a RANDOM_DEBUG option which enables some debugging printf()s.
Add a new RANDOM_ATTACH entropy source which harvests entropy from the get_cyclecount() delta across each call to a device attach method.
------------------------------------------------------------------------ r256135 | markm | 2013-10-08 07:54:52 +0100 (Tue, 08 Oct 2013) | 8 lines
Debugging. My attempt at EVENTHANDLER(multiuser) was a failure; use EVENTHANDLER(mountroot) instead.
This means we can't count on /var being present, so something will need to be done about harvesting /var/db/entropy/... .
Some policy now needs to be sorted out, and a pre-sync cache needs to be written, but apart from that we are now ready to go.
Over to review.
------------------------------------------------------------------------ r256094 | markm | 2013-10-06 23:45:02 +0100 (Sun, 06 Oct 2013) | 8 lines
Snapshot.
Looking pretty good; this mostly works now. New code includes:
* Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested.
* Use EVENTHANDLER to do above just before we go multiuser. Untested.
------------------------------------------------------------------------ r256088 | markm | 2013-10-06 14:01:42 +0100 (Sun, 06 Oct 2013) | 2 lines
Fix up the man page for random(4). This mainly removes no-longer-relevant details about HW RNGs, reseeding explicitly and user-supplied entropy.
------------------------------------------------------------------------ r256087 | markm | 2013-10-06 13:43:42 +0100 (Sun, 06 Oct 2013) | 6 lines
As userland writing to /dev/random is no more, remove the "better than nothing" bootstrap mode.
Add SWI harvesting to the mix.
My box seeds Yarrow by itself in a few seconds! YMMV; more to follow.
------------------------------------------------------------------------ r256086 | markm | 2013-10-06 13:40:32 +0100 (Sun, 06 Oct 2013) | 11 lines
Debug run. This now works, except that the "live" sources haven't been tested. With all sources turned on, this unlocks itself in a couple of seconds! That is no my box, and there is no guarantee that this will be the case everywhere.
* Cut debug prints.
* Use the same locks/mutexes all the way through.
* Be a tad more conservative about entropy estimates.
------------------------------------------------------------------------ r256084 | markm | 2013-10-06 13:35:29 +0100 (Sun, 06 Oct 2013) | 5 lines
Don't use the "real" assembler mnemonics; older compilers may not understand them (like when building CURRENT on 9.x).
# Submitted by: Konstantin Belousov <kostikbel@gmail.com>
------------------------------------------------------------------------ r256081 | markm | 2013-10-06 10:55:28 +0100 (Sun, 06 Oct 2013) | 12 lines
SNAPSHOT.
Simplify the malloc pools; We only need one for this device.
Simplify the harvest queue.
Marginally improve the entropy pool hashing, making it a bit faster in the process.
Connect up the hardware "live" source harvesting. This is simplistic for now, and will need to be made rate-adaptive.
All of the above passes a compile test but needs to be debugged.
------------------------------------------------------------------------ r256042 | markm | 2013-10-04 07:55:06 +0100 (Fri, 04 Oct 2013) | 25 lines
Snapshot. This passes the build test, but has not yet been finished or debugged.
Contains:
* Refactor the hardware RNG CPU instruction sources to feed into the software mixer. This is unfinished. The actual harvesting needs to be sorted out. Modified by me (see below).
* Remove 'frac' parameter from random_harvest(). This was never used and adds extra code for no good reason.
* Remove device write entropy harvesting. This provided a weak attack vector, was not very good at bootstrapping the device. To follow will be a replacement explicit reseed knob.
* Separate out all the RANDOM_PURE sources into separate harvest entities. This adds some secuity in the case where more than one is present.
* Review all the code and fix anything obviously messy or inconsistent. Address som review concerns while I'm here, like rename the pseudo-rng to 'dummy'.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
------------------------------------------------------------------------ r255319 | markm | 2013-09-06 18:51:52 +0100 (Fri, 06 Sep 2013) | 4 lines
Yarrow wants entropy estimations to be conservative; the usual idea is that if you are certain you have N bits of entropy, you declare N/2.
------------------------------------------------------------------------ r255075 | markm | 2013-08-30 18:47:53 +0100 (Fri, 30 Aug 2013) | 4 lines
Remove short-lived idea; thread to harvest (eg) RDRAND enropy into the usual harvest queues. It was a nifty idea, but too heavyweight.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
------------------------------------------------------------------------ r255071 | markm | 2013-08-30 12:42:57 +0100 (Fri, 30 Aug 2013) | 4 lines
Separate out the Software RNG entropy harvesting queue and thread into its own files.
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
------------------------------------------------------------------------ r254934 | markm | 2013-08-26 20:07:03 +0100 (Mon, 26 Aug 2013) | 2 lines
Remove the short-lived namei experiment.
------------------------------------------------------------------------ r254928 | markm | 2013-08-26 19:35:21 +0100 (Mon, 26 Aug 2013) | 2 lines
Snapshot; Do some running repairs on entropy harvesting. More needs to follow.
------------------------------------------------------------------------ r254927 | markm | 2013-08-26 19:29:51 +0100 (Mon, 26 Aug 2013) | 15 lines
Snapshot of current work;
1) Clean up namespace; only use "Yarrow" where it is Yarrow-specific or close enough to the Yarrow algorithm. For the rest use a neutral name.
2) Tidy up headers; put private stuff in private places. More could be done here.
3) Streamline the hashing/encryption; no need for a 256-bit counter; 128 bits will last for long enough.
There are bits of debug code lying around; these will be removed at a later stage.
------------------------------------------------------------------------ r254784 | markm | 2013-08-24 14:54:56 +0100 (Sat, 24 Aug 2013) | 39 lines
1) example (partially humorous random_adaptor, that I call "EXAMPLE") * It's not meant to be used in a real system, it's there to show how the basics of how to create interfaces for random_adaptors. Perhaps it should belong in a manual page
2) Move probe.c's functionality in to random_adaptors.c * rename random_ident_hardware() to random_adaptor_choose()
3) Introduce a new way to choose (or select) random_adaptors via tunable "rngs_want" It's a list of comma separated names of adaptors, ordered by preferences. I.e.: rngs_want="yarrow,rdrand"
Such setting would cause yarrow to be preferred to rdrand. If neither of them are available (or registered), then system will default to something reasonable (currently yarrow). If yarrow is not present, then we fall back to the adaptor that's first on the list of registered adaptors.
4) Introduce a way where RNGs can play a role of entropy source. This is mostly useful for HW rngs.
The way I envision this is that every HW RNG will use this functionality by default. Functionality to disable this is also present. I have an example of how to use this in random_adaptor_example.c (see modload event, and init function)
5) fix kern.random.adaptors from kern.random.adaptors: yarrowpanicblock to kern.random.adaptors: yarrow,panic,block
6) add kern.random.active_adaptor to indicate currently selected adaptor: root@freebsd04:~ # sysctl kern.random.active_adaptor kern.random.active_adaptor: yarrow
# Submitted by: Arthur Mesh <arthurmesh@gmail.com>
Submitted by: Dag-Erling Smørgrav <des@FreeBSD.org>, Arthur Mesh <arthurmesh@gmail.com> Reviewed by: des@FreeBSD.org Approved by: re (delphij) Approved by: secteam (des,delphij)
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
255362 |
|
07-Sep-2013 |
markm |
Bring in some behind-the-scenes development, mainly By Arthur Mesh, the rest by me.
o Namespace cleanup; the Yarrow name is now restricted to where it really applies; this is in anticipation of being augmented or replaced by Fortuna in the future. Fortuna is mentioned, but behind #if logic, and is ignorable for now.
o The harvest queue is pulled out into its own modules.
o Entropy harvesting is emproved, both by being made more conservative, and by separating (a bit!) the sources. Available entropy crumbs are marginally improved.
o Selection of sources is made clearer. With recent revelations, this will receive more work in the weeks and months to come.
Submitted by: Arthur Mesh (partly) <arthurmesh@gmail.com>
|
#
254147 |
|
09-Aug-2013 |
obrien |
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah
* Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones.
* If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed.
* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one.
Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: so (des)
|
#
253845 |
|
31-Jul-2013 |
obrien |
Back out r253779 & r253786.
|
#
253779 |
|
29-Jul-2013 |
obrien |
Decouple yarrow from random(4) device.
* Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option. The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow.
* random(4) device doesn't really depend on rijndael-*. Yarrow, however, does.
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah
* Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones.
* If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed.
* Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one.
Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: obrien
|
#
174073 |
|
29-Nov-2007 |
simon |
Correct a random value disclosure in random(4).
Security: FreeBSD-SA-07:09.random
|
#
170025 |
|
27-May-2007 |
rwatson |
Rather than repeatedly setting and discarding local variable 'o' based on the return values of various run-time sysctl additions, just ignore the return value.
Found with: Coverity Prevent(tm) CID: 562
|
#
153575 |
|
20-Dec-2005 |
ps |
Remove GIANT from device random.
Submitted by: ups
|
#
143418 |
|
11-Mar-2005 |
ume |
stop including rijndael-api-fst.h from rijndael.h. this is required to integrate opencrypto into crypto.
|
#
128059 |
|
09-Apr-2004 |
markm |
Reorganise the entropy device so that high-yield entropy sources can more easily be used INSTEAD OF the hard-working Yarrow. The only hardware source used at this point is the one inside the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will be added in due course. Contributions welcome!
|
#
122871 |
|
17-Nov-2003 |
markm |
Overhaul the entropy device:
o Each source gets its own queue, which is a FIFO, not a ring buffer. The FIFOs are implemented with the sys/queue.h macros. The separation is so that a low entropy/high rate source can't swamp the harvester with low-grade entropy and destroy the reseeds.
o Each FIFO is limited to 256 (set as a macro, so adjustable) events queueable. Full FIFOs are ignored by the harvester. This is to prevent memory wastage, and helps to keep the kernel thread CPU usage within reasonable limits.
o There is no need to break up the event harvesting into ${burst} sized chunks, so retire that feature.
o Break the device away from its roots with the memory device, and allow it to get its major number automagically.
|
#
119418 |
|
24-Aug-2003 |
obrien |
Use __FBSDID(). Also some minor style cleanups.
|
#
107789 |
|
12-Dec-2002 |
markm |
Fix a buffer overrun in /dev/random which, due to the nature of the kernel memory allocator, is harmless. This could be a problem for other systems, though. I've modified Darren's patch a little.
Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com> Also analysed by: SGI, and in particular Divy Le Ray of SGI OK'ed by: re(rwatson)
|
#
103765 |
|
21-Sep-2002 |
markm |
Remove #ifdef'ed Giant mutex wrappers round debugging statements.
|
#
100082 |
|
15-Jul-2002 |
markm |
Upgrade the random device to use a "real" hash instead of building one out of a block cipher. This has 2 advantages: 1) The code is _much_ simpler 2) We aren't committing our security to one algorithm (much as we may think we trust AES).
While I'm here, make an explicit reseed do a slow reseed instead of a fast; this is in line with what the original paper suggested.
|
#
93818 |
|
04-Apr-2002 |
jhb |
Change callers of mtx_init() to pass in an appropriate lock type name. In most cases NULL is passed, but in some cases such as network driver locks (which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used.
Tested on: i386, alpha, sparc64
|
#
91600 |
|
03-Mar-2002 |
markm |
Massive lint-inspired cleanup.
Remove unneeded includes. Deal with unused function arguments. Resolve a boatload of signed/unsigned imcompatabilities. Etc.
|
#
89170 |
|
09-Jan-2002 |
msmith |
Staticise the random_state array.
Reviewed by: markm
|
#
74914 |
|
28-Mar-2001 |
jhb |
Catch up to header include changes: - <sys/mutex.h> now requires <sys/systm.h> - <sys/mutex.h> and <sys/sx.h> now require <sys/lock.h>
|
#
74908 |
|
28-Mar-2001 |
markm |
Fix nasty corruption problem where a 64bit variable was being used (overflowed) to catch a 256bit result.
Hard work done by: jhb
|
#
74072 |
|
10-Mar-2001 |
markm |
Very large makeover of the /dev/random driver.
o Separate the kernel stuff from the Yarrow algorithm. Yarrow is now well contained in one source file and one header.
o Replace the Blowfish-based crypto routines with Rijndael-based ones. (Rijndael is the new AES algorithm). The huge improvement in Rijndael's key-agility over Blowfish means that this is an extremely dramatic improvement in speed, and makes a heck of a difference in its (lack of) CPU load.
o Clean up the sysctl's. At BDE's prompting, I have gone back to static sysctls.
o Bug fixes. The streamlining of the crypto stuff enabled me to find and fix some bugs. DES also found a bug in the reseed routine which is fixed.
o Change the way reseeds clear "used" entropy. Previously, only the source(s) that caused a reseed were cleared. Now all sources in the relevant pool(s) are cleared.
o Code tidy-up. Mostly to make it (nearly) 80-column compliant.
|
#
73379 |
|
03-Mar-2001 |
markm |
Take down a comment that is no longer true.
/dev/random is ready for prime time!
|
#
72364 |
|
11-Feb-2001 |
markm |
Make a big improvement to entropy-harvesting speed by not having any locks (only atomic assigns) in the harvest ringbuffer.
|
#
72200 |
|
09-Feb-2001 |
bmilekic |
Change and clean the mutex lock interface.
mtx_enter(lock, type) becomes:
mtx_lock(lock) for sleep locks (MTX_DEF-initialized locks) mtx_lock_spin(lock) for spin locks (MTX_SPIN-initialized)
similarily, for releasing a lock, we now have:
mtx_unlock(lock) for MTX_DEF and mtx_unlock_spin(lock) for MTX_SPIN. We change the caller interface for the two different types of locks because the semantics are entirely different for each case, and this makes it explicitly clear and, at the same time, it rids us of the extra `type' argument.
The enter->lock and exit->unlock change has been made with the idea that we're "locking data" and not "entering locked code" in mind.
Further, remove all additional "flags" previously passed to the lock acquire/release routines with the exception of two:
MTX_QUIET and MTX_NOSWITCH
The functionality of these flags is preserved and they can be passed to the lock/unlock routines by calling the corresponding wrappers:
mtx_{lock, unlock}_flags(lock, flag(s)) and mtx_{lock, unlock}_spin_flags(lock, flag(s)) for MTX_DEF and MTX_SPIN locks, respectively.
Re-inline some lock acq/rel code; in the sleep lock case, we only inline the _obtain_lock()s in order to ensure that the inlined code fits into a cache line. In the spin lock case, we inline recursion and actually only perform a function call if we need to spin. This change has been made with the idea that we generally tend to avoid spin locks and that also the spin locks that we do have and are heavily used (i.e. sched_lock) do recurse, and therefore in an effort to reduce function call overhead for some architectures (such as alpha), we inline recursion for this case.
Create a new malloc type for the witness code and retire from using the M_DEV type. The new type is called M_WITNESS and is only declared if WITNESS is enabled.
Begin cleaning up some machdep/mutex.h code - specifically updated the "optimized" inlined code in alpha/mutex.h and wrote MTX_LOCK_SPIN and MTX_UNLOCK_SPIN asm macros for the i386/mutex.h as we presently need those.
Finally, caught up to the interface changes in all sys code.
Contributors: jake, jhb, jasone (in no particular order)
|
#
72180 |
|
08-Feb-2001 |
asmodai |
Fix typos: initalise -> initialise.
Initalise is not an english word.
|
#
71037 |
|
14-Jan-2001 |
markm |
Remove NOBLOCKRANDOM as a compile-time option. Instead, provide exactly the same functionality via a sysctl, making this feature a run-time option.
The default is 1(ON), which means that /dev/random device will NOT block at startup.
setting kern.random.sys.seeded to 0(OFF) will cause /dev/random to block until the next reseed, at which stage the sysctl will be changed back to 1(ON).
While I'm here, clean up the sysctls, and make them dynamic. Reviewed by: des Tested on Alpha by: obrien
|
#
70834 |
|
09-Jan-2001 |
wollman |
select() DKI is now in <sys/selinfo.h>.
|
#
69526 |
|
02-Dec-2000 |
markm |
Major speedup to /dev/random and the kernel thread that reseeds it.
There is no more TAILQ fifo to harvest the entropy; instead, there is a circular buffer of constant size (changeable by macro) that pretty dramatically improves the speed and fixes potential slowdowns- by-locking.
Also gone are a slew of malloc(9) and free(9) calls; all harvesting buffers are static.
All-in-all, this is a good performance improvement.
Thanks-to: msmith for the circular buffer concept-code.
|
#
69172 |
|
25-Nov-2000 |
markm |
Greatly improve the boot-up unblocking time of the entropy device.
|
#
69168 |
|
25-Nov-2000 |
markm |
Stop explicitly using nanotime(9) and use the new get_cyclecounter(9) call instead.
This makes a pretty dramatic difference to the amount of work that the harvester needs to do - it is much friendlier on the system. (80386 and 80486 class machines will notice little, as the new get_cyclecounter() call is a wrapper round nanotime(9) for them).
|
#
67882 |
|
29-Oct-2000 |
phk |
Remove unneeded #include <sys/proc.h> lines.
|
#
67365 |
|
20-Oct-2000 |
jhb |
Catch up to moving headers: - machine/ipl.h -> sys/ipl.h - machine/mutex.h -> sys/mutex.h
|
#
67112 |
|
14-Oct-2000 |
markm |
After some complaints about the dir names, the random device is now in dirs called sys/*/random/ instead of sys/*/randomdev/*.
Introduce blocking, but only at startup; the random device will block until the first reseed happens to prevent clients from using untrustworthy output.
Provide a read_random() call for the rest of the kernel so that the entropy device does not need to be present. This means that things like IPX no longer need to have "device random" hardcoded into thir kernel config. The downside is that read_random() will provide very poor output until the entropy device is loaded and reseeded. It is recommended that developers do NOT use the read_random() call; instead, they should use arc4random() which internally uses read_random().
Clean up the mutex and locking code a bit; this makes it possible to unload the module again.
|
#
66155 |
|
21-Sep-2000 |
markm |
Remove unneeded includes.
Submitted by: phk
|
#
65856 |
|
14-Sep-2000 |
jhb |
Remove the mtx_t, witness_t, and witness_blessed_t types. Instead, just use struct mtx, struct witness, and struct witness_blessed.
Requested by: bde
|
#
65775 |
|
12-Sep-2000 |
markm |
The "struct proc" argument to read_random was ill-conceived, and a hangover from previous experimentation. Remove it. This will clean up gratuitous needs for forward references and other namespace pollution. Moaned about by: bde Brought to my attention by: bp
|
#
65752 |
|
11-Sep-2000 |
jhb |
Move the prototypes for random_set_wakeup* from yarrow.c to yarrow.h so that both yarrow.c and harvest.c can use them.
Approved by: markm
|
#
65712 |
|
11-Sep-2000 |
jhb |
- Use RFHIGHPID when creating the kthread to get a more sensible pid. - Don't fake walking a tailq. Instead, use a while loop that pulls items off the head of the queue while the queue is not empty.
|
#
65686 |
|
10-Sep-2000 |
markm |
Large upgrade to the entropy device; mainly inspired by feedback from many folk.
o The reseed process is now a kthread. With SMPng, kthreads are pre-emptive, so the annoying jerkiness of the mouse is gone.
o The data structures are protected by mutexes now, not splfoo()/splx().
o The cryptographic routines are broken out into their own subroutines. this facilitates review, and possible replacement if that is ever found necessary.
Thanks to: kris, green, peter, jasone, grog, jhb Forgotten to thank: You know who you are; no offense intended.
|
#
63856 |
|
25-Jul-2000 |
markm |
Forgot from last commit:
o if the device is being written to, and the user is not root, or the securelevel is greater than 0, then fail with EPERM.
|
#
63855 |
|
25-Jul-2000 |
markm |
o Fix a horrible bug where small reads (< 8 bytes) would return the wrong bytes.
o Improve the public interface; use void* instead of char* or u_int64_t to pass arbitrary data around. Submitted by: kris ("horrible bug")
|
#
63771 |
|
23-Jul-2000 |
markm |
Clean this up with some BDE-inspired fixes.
o Make the comments KNF-compliant. o Use nanotime instead of getnanotime; the manpage lies about the kern.timecounter.method - it has been removed. o Fix the ENTROPYSOURCE const permanently. o Make variable names more consistent. o Make function prototypes more consistent.
Some more needs to be done; to follow.
|
#
63306 |
|
17-Jul-2000 |
markm |
Add randomness write functionality. This does absolutely nothing for entropy estimation, but causes an immediate reseed after the input (read in sizeof(u_int64_t) chunks) is "harvested".
This will be used in the reboot "reseeder", coming in another commit. This can be used very effectively at any time you think your randomness is compromised; something like
# (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random
will give the attacker something to think about.
|
#
62969 |
|
11-Jul-2000 |
markm |
Storing to a pointer is (effectively) atomic; no need to protect this with splhigh(). However, the entropy-harvesting routine needs pretty serious irq-protection, as it is called out of irq handlers etc.
Clues given by: bde
|
#
62967 |
|
11-Jul-2000 |
markm |
I think I need to move the newly static variables to the random_state structure; remind myself in the cooments. Also regroup all the Yarrow variables at the top of the variable list; they are "special". (no functional change).
|
#
62936 |
|
11-Jul-2000 |
green |
One should never allocate 4-kilobyte structs and such on the interrupt stack. It's bad for your machine's health.
Make the two huge structs in reseed() static to prevent crashes. This is the bug that people have been running into and panic()ing on for the past few days.
Reviewed by: phk
|
#
62875 |
|
10-Jul-2000 |
markm |
Provide more splsofttq() protection for the reseed task (running out of taskqueue_swi).
|
#
62850 |
|
09-Jul-2000 |
markm |
Make sure that tasks (running out of taskqueue_swi at splsofttq) are not interfered with by the harvester.
|
#
62841 |
|
09-Jul-2000 |
markm |
Yarrow tweaks; separate the fast and slow reseed tasks so that they don't stomp on each other; provide constant names (as enums) for the harvester to use (makes it more self-documenting).
|
#
62765 |
|
07-Jul-2000 |
markm |
Add entropy gathering code. This will work whether the module is compiled in or loaded.
|
#
62117 |
|
26-Jun-2000 |
markm |
style(9) fixes from BDE. We shouldn't use '#include ""', rather '#include<>'.
|
#
62090 |
|
25-Jun-2000 |
markm |
Fix include for non-module case.
Thanks-to: SOS
|
#
62053 |
|
25-Jun-2000 |
markm |
New machine-independant /dev/random driver.
This is work-in-progress, and the entropy-gathering routines are not yet present. As such, this should be viewed as a pretty reasonable PRNG with _ABSOLUTELY_NO_ security!!
Entropy gathering will be the subject of ongoing work.
This is written as a module, and as such is unloadable, but there is no refcounting done. I would like to use something like device_busy(9) to achieve this (eventually).
Lots of useful ideas from: bde, phk, Jeroen van Gelderen
Reviewed by: dfr
|