#
fdafd315 |
|
24-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Automated cleanup of cdefs and other formatting Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
1580afcd |
|
13-Nov-2021 |
Colin Percival <cperciva@FreeBSD.org> |
randomdev: Remove 100 ms sleep from write routine This was introduced in 2014 along with the comment (which has since been deleted): /* Introduce an annoying delay to stop swamping */ Modern cryptographic random number generators can ingest arbitrarily large amounts of non-random (or even maliciously selected) input without losing their security. Depending on the number of "boot entropy files" present on the system, this can speed up the boot process by up to 1 second. Reviewed by: cem MFC ater: 1 week Sponsored by: https://www.patreon.com/cperciva Differential Revision: https://reviews.freebsd.org/D32984
|
#
6895cade |
|
19-Sep-2021 |
Kyle Evans <kevans@FreeBSD.org> |
kern: random: drop read_rate and associated functionality Refer to discussion in PR 230808 for a less incomplete discussion, but the gist of this change is that we currently collect orders of magnitude more entropy than we need. The excess comes from bytes being read out of /dev/*random. The default rate at which we collect entropy without the read_rate increase is already more than we need to recover from a compromise of an internal state. Reviewed by: #csprng (cem, delphij, markm) Differential Revision: https://reviews.freebsd.org/D32021
|
#
10b1a175 |
|
10-Oct-2020 |
Conrad Meyer <cem@FreeBSD.org> |
arc4random(9): Integrate with RANDOM_FENESTRASX push-reseed There is no functional change for the existing Fortuna random(4) implementation, which remains the default in GENERIC. In the FenestrasX model, when the root CSPRNG is reseeded from pools due to an (infrequent) timer, child CSPRNGs can cheaply detect this condition and reseed. To do so, they just need to track an additional 64-bit value in the associated state, and compare it against the root seed version (generation) on random reads. This revision integrates arc4random(9) into that model without substantially changing the design or implementation of arc4random(9). The motivation is that arc4random(9) is immediately reseeded when the backing random(4) implementation has additional entropy. This is arguably most important during boot, when fenestrasX is reseeding at 1, 3, 9, 27, etc., second intervals. Today, arc4random(9) has a hardcoded 300 second reseed window. Without this mechanism, if arc4random(9) gets weak entropy during initial seed (and arc4random(9) is used early in boot, so this is quite possible), it may continue to emit poorly seeded output for 5 minutes. The FenestrasX push-reseed scheme corrects consumers, like arc4random(9), as soon as possible. Reviewed by: markm Approved by: csprng (markm) Differential Revision: https://reviews.freebsd.org/D22838
|
#
4a711b8d |
|
25-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Use zfree() instead of explicit_bzero() and free(). In addition to reducing lines of code, this also ensures that the full allocation is always zeroed avoiding possible bugs with incorrect lengths passed to explicit_bzero(). Suggested by: cem Reviewed by: cem, delphij Approved by: csprng (cem) Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25435
|
#
3ee1d5bb |
|
26-Dec-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Simplify RANDOM_LOADABLE Simplify RANDOM_LOADABLE by removing the ability to unload a LOADABLE random(4) implementation. This allows one-time random module selection at boot, by loader(8). Swapping modules on the fly doesn't seem especially useful. This removes the need to hold a lock over the sleepable module calls read_random and read_random_uio. init/deinit have been pulled out of random_algorithm entirely. Algorithms can run their own sysinits to initialize; deinit is removed entirely, as algorithms can not be unloaded. Algorithms should initialize at SI_SUB_RANDOM:SI_ORDER_SECOND. In LOADABLE systems, algorithms install a pointer to their local random_algorithm context in p_random_alg_context at that time. Go ahead and const'ify random_algorithm objects; there is no need to mutate them at runtime. LOADABLE kernel NULL checks are removed from random_harvestq by ordering random_harvestq initialization at SI_SUB_RANDOM:SI_ORDER_THIRD, after algorithm init. Prior to random_harvestq init, hc_harvest_mask is zero and no events are forwarded to algorithms; after random_harvestq init, the relevant pointers will already have been installed. Remove the bulk of random_infra shim wrappers and instead expose the bare function pointers in sys/random.h. In LOADABLE systems, read_random(9) et al are just thin shim macros around invoking the associated function pointer. We do not provide a registration system but instead expect LOADABLE modules to register themselves at SI_SUB_RANDOM:SI_ORDER_SECOND. An example is provided in randomdev.c, as used in the random_fortuna.ko module. Approved by: csprng(markm) Discussed with: gordon Differential Revision: https://reviews.freebsd.org/D22512
|
#
7384206a |
|
18-Aug-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Reorder configuration of random source modules Move fast entropy source registration to the earlier SI_SUB_RANDOM:SI_ORDER_FOURTH and move random_harvestq_prime after that. Relocate the registration routines out of the much later randomdev module and into random_harvestq. This is necessary for the fast random sources to actually register before we perform random_harvestq_prime() early in the kernel boot. No functional change. Reviewed by: delphij, markjm Approved by: secteam(delphij) Differential Revision: https://reviews.freebsd.org/D21308
|
#
d0d71d81 |
|
17-Jun-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Generalize algorithm-independent APIs At a basic level, remove assumptions about the underlying algorithm (such as output block size and reseeding requirements) from the algorithm-independent logic in randomdev.c. Chacha20 does not have many of the restrictions that AES-ICM does as a PRF (Pseudo-Random Function), because it has a cipher block size of 512 bits. The motivation is that by generalizing the API, Chacha is not penalized by the limitations of AES. In READ_RANDOM_UIO, first attempt to NOWAIT allocate a large enough buffer for the entire user request, or the maximal input we'll accept between signal checking, whichever is smaller. The idea is that the implementation of any randomdev algorithm is then free to divide up large requests in whatever fashion it sees fit. As part of this, two responsibilities from the "algorithm-generic" randomdev code are pushed down into the Fortuna ra_read implementation (and any other future or out-of-tree ra_read implementations): 1. If an algorithm needs to rekey every N bytes, it is responsible for handling that in ra_read(). (I.e., Fortuna's 1MB rekey interval for AES block generation.) 2. If an algorithm uses a block cipher that doesn't tolerate partial-block requests (again, e.g., AES), it is also responsible for handling that in ra_read(). Several APIs are changed from u_int buffer length to the more canonical size_t. Several APIs are changed from taking a blockcount to a bytecount, to permit PRFs like Chacha20 to directly generate quantities of output that are not multiples of RANDOM_BLOCKSIZE (AES block size). The Fortuna algorithm is changed to NOT rekey every 1MiB when in Chacha20 mode (kern.random.use_chacha20_cipher="1"). This is explicitly supported by the math in FS&K §9.4 (Ferguson, Schneier, and Kohno; "Cryptography Engineering"), as well as by their conclusion: "If we had a block cipher with a 256-bit [or greater] block size, then the collisions would not have been an issue at all." For now, continue to break up reads into PAGE_SIZE chunks, as they were before. So, no functional change, mostly. Reviewed by: markm Approved by: secteam(delphij) Differential Revision: https://reviews.freebsd.org/D20312
|
#
00e0e488 |
|
23-May-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): deduplicate explicit_bzero() in harvest Pull the responsibility for zeroing events, which is general to any conceivable implementation of a random device algorithm, out of the algorithm-specific Fortuna code and into the callers. Most callers indirect through random_fortuna_process_event(), so add the logic there. Most callers already explicitly bzeroed the events they provided, so the logic in Fortuna was mostly redundant. Add one missing bzero in randomdev_accumulate(). Also, remove a redundant bzero in the same function -- randomdev_hash_finish() is obliged to bzero the hash state. Reviewed by: delphij Approved by: secteam(delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D20318
|
#
3782136f |
|
18-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Restore availability tradeoff prior to r346250 As discussed in that commit message, it is a dangerous default. But the safe default causes enough pain on a variety of platforms that for now, restore the prior default. Some of this is self-induced pain we should/could do better about; for example, programmatic CI systems and VM managers should introduce entropy from the host for individual VM instances. This is considered a future work item. On modern x86 and Power9 systems, this may be wholly unnecessary after D19928 lands (even in the non-ideal case where early /boot/entropy is unavailable), because they have fast hardware random sources available early in boot. But D19928 is not yet landed and we have a host of architectures which do not provide fast random sources. This change adds several tunables and diagnostic sysctls, documented thoroughly in UPDATING and sys/dev/random/random_infra.c. PR: 230875 (reopens) Reported by: adrian, jhb, imp, and probably others Reviewed by: delphij, imp (earlier version), markm (earlier version) Discussed with: adrian Approved by: secteam(delphij) Relnotes: yeah Security: related Differential Revision: https://reviews.freebsd.org/D19944
|
#
f3d2512d |
|
16-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Add is_random_seeded(9) KPI The imagined use is for early boot consumers of random to be able to make decisions based on whether random is available yet or not. One such consumer seems to be __stack_chk_init(), which runs immediately after random is initialized. A follow-up patch will attempt to address that. Reported by: many Reviewed by: delphij (except man page) Approved by: secteam(delphij) Differential Revision: https://reviews.freebsd.org/D19926
|
#
13774e82 |
|
15-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Block read_random(9) on initial seeding read_random() is/was used, mostly without error checking, in a lot of very sensitive places in the kernel -- including seeding the widely used arc4random(9). Most uses, especially arc4random(9), should block until the device is seeded rather than proceeding with a bogus or empty seed. I did not spy any obvious kernel consumers where blocking would be inappropriate (in the sense that lack of entropy would be ok -- I did not investigate locking angle thoroughly). In many instances, arc4random_buf(9) or that family of APIs would be more appropriate anyway; that work was done in r345865. A minor cleanup was made to the implementation of the READ_RANDOM function: instead of using a variable-length array on the stack to temporarily store all full random blocks sufficient to satisfy the requested 'len', only store a single block on the stack. This has some benefit in terms of reducing stack usage, reducing memcpy overhead and reducing devrandom output leakage via the stack. Additionally, the stack block is now safely zeroed if it was used. One caveat of this change is that the kern.arandom sysctl no longer returns zero bytes immediately if the random device is not seeded. This means that FreeBSD-specific userspace applications which attempted to handle an unseeded random device may be broken by this change. If such behavior is needed, it can be replaced by the more portable getrandom(2) GRND_NONBLOCK option. On any typical FreeBSD system, entropy is persisted on read/write media and used to seed the random device very early in boot, and blocking is never a problem. This change primarily impacts the behavior of /dev/random on embedded systems with read-only media that do not configure "nodevice random". We toggle the default from 'charge on blindly with no entropy' to 'block indefinitely.' This default is safer, but may cause frustration. Embedded system designers using FreeBSD have several options. The most obvious is to plan to have a small writable NVRAM or NAND to persist entropy, like larger systems. Early entropy can be fed from any loader, or by writing directly to /dev/random during boot. Some embedded SoCs now provide a fast hardware entropy source; this would also work for quickly seeding Fortuna. A 3rd option would be creating an embedded-specific, more simplistic random module, like that designed by DJB in [1] (this design still requires a small rewritable media for forward secrecy). Finally, the least preferred option might be "nodevice random", although I plan to remove this in a subsequent revision. To help developers emulate the behavior of these embedded systems on ordinary workstations, the tunable kern.random.block_seeded_status was added. When set to 1, it blocks the random device. I attempted to document this change in random.4 and random.9 and ran into a bunch of out-of-date or irrelevant or inaccurate content and ended up rototilling those documents more than I intended to. Sorry. I think they're in a better state now. PR: 230875 Reviewed by: delphij, markm (earlier version) Approved by: secteam(delphij), devrandom(markm) Relnotes: yes Differential Revision: https://reviews.freebsd.org/D19744
|
#
7a8d2661 |
|
09-Sep-2018 |
Xin LI <delphij@FreeBSD.org> |
random(4): Squash non-error timeout codes from tsleep(9). In both scenarios a timeout (EWOULDBLOCK) is considered as a normal condition and the error should not pop up to upper layers. PR: 231181 Submitted by: cem Reported by: lev Reviewed by: vangyzen, markm, delphij Approved by: re (kib) Approved by: secteam (delphij) Differential Revision: https://reviews.freebsd.org/D17049
|
#
19fa89e9 |
|
25-Aug-2018 |
Mark Murray <markm@FreeBSD.org> |
Remove the Yarrow PRNG algorithm option in accordance with due notice given in random(4). This includes updating of the relevant man pages, and no-longer-used harvesting parameters. Ensure that the pseudo-unit-test still does something useful, now also with the "other" algorithm instead of Yarrow. PR: 230870 Reviewed by: cem Approved by: so(delphij,gtetlow) Approved by: re(marius) Differential Revision: https://reviews.freebsd.org/D16898
|
#
db488e4f |
|
16-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Poll for signals during large reads Occasionally poll for signals during large reads of the /dev/u?random devices. This allows cancellation via SIGINT of accidental invocations of very large reads. (A 2GB /dev/random read, which takes about 10 seconds on my 2017 AMD Zen processor, can be aborted.) I believe this behavior was intended since 2014 (r273997), just not fully implemented. This is motivated by a potential getrandom(2) interface that may not explicitly forbid extremely large reads on 64-bit platforms -- even larger than the 2GB limit imposed on devfs I/O by default. Such reads, if they are to be allowed, should be cancellable by the user or administrator. Reviewed by: delphij Approved by: secteam (delphij) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D14684
|
#
095db7e6 |
|
07-Oct-2017 |
Conrad Meyer <cem@FreeBSD.org> |
random(4): Gather entropy from Pure sources At initialization, hc_source_mask only includes non-Pure sources. The patch changes source registration to enable the registered source in the hc_source_mask bitmask. This mask governs which sources are harvested. This patch also disallows userspace from disabling such sources. PR: 222807 Submitted by: W. Dean Freeman <badfilemagic AT gmail.com> Reviewed by: jmg (earlier version), delphij Approved by: secteam (delphij) Obtained from: HBSD 0054e3e170e083811acc9f3b637f8be8a86c03e7 Security: yes Differential Revision: https://reviews.freebsd.org/D12611
|
#
7b250b1e |
|
25-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
dev/random: use our roundup() macro instead of re-implementing it. While here also use howmany() macro from sys/param.h No functional change. Reviewed by: markm (roundup replacement part) Approved by: so
|
#
7a3f5d11 |
|
27-Dec-2015 |
Allan Jude <allanjude@FreeBSD.org> |
Replace sys/crypto/sha2/sha2.c with lib/libmd/sha512c.c cperciva's libmd implementation is 5-30% faster The same was done for SHA256 previously in r263218 cperciva's implementation was lacking SHA-384 which I implemented, validated against OpenSSL and the NIST documentation Extend sbin/md5 to create sha384(1) Chase dependancies on sys/crypto/sha2/sha2.{c,h} and replace them with sha512{c.c,.h} Reviewed by: cperciva, des, delphij Approved by: secteam, bapt (mentor) MFC after: 2 weeks Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D3929
|
#
646041a8 |
|
17-Aug-2015 |
Mark Murray <markm@FreeBSD.org> |
Add DEV_RANDOM pseudo-option and use it to "include out" random(4) if desired. Retire randomdev_none.c and introduce random_infra.c for resident infrastructure. Completely stub out random(4) calls in the "without DEV_RANDOM" case. Add RANDOM_LOADABLE option to allow loadable Yarrow/Fortuna/LocallyWritten algorithm. Add a skeleton "other" algorithm framework for folks to add their own processing code. NIST, anyone? Retire the RANDOM_DUMMY option. Build modules for Yarrow, Fortuna and "other". Use atomics for the live entropy rate-tracking. Convert ints to bools for the 'seeded' logic. Move _write() function from the algorithm-specific areas to randomdev.c Get rid of reseed() function - it is unused. Tidy up the opt_*.h includes. Update documentation for random(4) modules. Fix test program (reviewers, please leave this). Differential Revision: https://reviews.freebsd.org/D3354 Reviewed by: wblock,delphij,jmg,bjk Approved by: so (/dev/random blanket)
|
#
eda4aaeb |
|
19-Jul-2015 |
Mark Murray <markm@FreeBSD.org> |
Fix some untidy logic. I committed the wrong local fix; please pass the pointy hat. Approved by: so (/dev/random blanket)
|
#
dbefaadc |
|
19-Jul-2015 |
Mark Murray <markm@FreeBSD.org> |
Fix the read blocking so that it is interruptable and slow down the rate of console warning spamming while blocked. Approved by: so (/dev/random blanket)
|
#
95b184a0 |
|
19-Jul-2015 |
Mark Murray <markm@FreeBSD.org> |
Optimise the buffer-size calculation. It was possible to get one block too many. Approved by: so (/dev/random blanket)
|
#
bc41a247 |
|
14-Jul-2015 |
Ed Schouten <ed@FreeBSD.org> |
Fix the build after breaking it in r285549. I performed the commit on a different system as where I wrote the change. After pulling in the change from Phabricator, I didn't notice that a single chunk did not apply. Approved by: secteam (implicit, as intended change was approved) Pointy hat to: me
|
#
707d98fe |
|
14-Jul-2015 |
Ed Schouten <ed@FreeBSD.org> |
Implement the CloudABI random_get() system call. The random_get() system call works similar to getentropy()/getrandom() on OpenBSD/Linux. It fills a buffer with random data. This change introduces a new function, read_random_uio(), that is used to implement read() on the random devices. We can call into this function from within the CloudABI compatibility layer. Approved by: secteam Reviewed by: jmg, markm, wblock Obtained from: https://github.com/NuxiNL/freebsd Differential Revision: https://reviews.freebsd.org/D3053
|
#
b712101c |
|
13-Jul-2015 |
Mark Murray <markm@FreeBSD.org> |
Rework the read routines to keep the PRNG sources happy. These work in units of crypto blocks, so must have adequate space to write. This means needing to be careful about buffers and keeping track of external read request length. Approved by: so (/dev/random blanket)
|
#
3aa77530 |
|
12-Jul-2015 |
Mark Murray <markm@FreeBSD.org> |
* Address review (and add a bit myself). - Tweek man page. - Remove all mention of RANDOM_FORTUNA. If the system owner wants YARROW or DUMMY, they ask for it, otherwise they get FORTUNA. - Tidy up headers a bit. - Tidy up declarations a bit. - Make static in a couple of places where needed. - Move Yarrow/Fortuna SYSINIT/SYSUNINIT to randomdev.c, moving us towards a single file where the algorithm context is used. - Get rid of random_*_process_buffer() functions. They were only used in one place each, and are better subsumed into those places. - Remove *_post_read() functions as they are stubs everywhere. - Assert against buffer size illegalities. - Clean up some silly code in the randomdev_read() routine. - Make the harvesting more consistent. - Make some requested argument name changes. - Tidy up and clarify a few comments. - Make some requested comment changes. - Make some requested macro changes. * NOTE: the thing calling itself a 'unit test' is not yet a proper unit test, but it helps me ensure things work. It may be a proper unit test at some time in the future, but for now please don't make any assumptions or hold any expectations. Differential Revision: https://reviews.freebsd.org/D2025 Approved by: so (/dev/random blanket)
|
#
d1b06863 |
|
30-Jun-2015 |
Mark Murray <markm@FreeBSD.org> |
Huge cleanup of random(4) code. * GENERAL - Update copyright. - Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set neither to ON, which means we want Fortuna - If there is no 'device random' in the kernel, there will be NO random(4) device in the kernel, and the KERN_ARND sysctl will return nothing. With RANDOM_DUMMY there will be a random(4) that always blocks. - Repair kern.arandom (KERN_ARND sysctl). The old version went through arc4random(9) and was a bit weird. - Adjust arc4random stirring a bit - the existing code looks a little suspect. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Redo read_random(9) so as to duplicate random(4)'s read internals. This makes it a first-class citizen rather than a hack. - Move stuff out of locked regions when it does not need to be there. - Trim RANDOM_DEBUG printfs. Some are excess to requirement, some behind boot verbose. - Use SYSINIT to sequence the startup. - Fix init/deinit sysctl stuff. - Make relevant sysctls also tunables. - Add different harvesting "styles" to allow for different requirements (direct, queue, fast). - Add harvesting of FFS atime events. This needs to be checked for weighing down the FS code. - Add harvesting of slab allocator events. This needs to be checked for weighing down the allocator code. - Fix the random(9) manpage. - Loadable modules are not present for now. These will be re-engineered when the dust settles. - Use macros for locks. - Fix comments. * src/share/man/... - Update the man pages. * src/etc/... - The startup/shutdown work is done in D2924. * src/UPDATING - Add UPDATING announcement. * src/sys/dev/random/build.sh - Add copyright. - Add libz for unit tests. * src/sys/dev/random/dummy.c - Remove; no longer needed. Functionality incorporated into randomdev.*. * live_entropy_sources.c live_entropy_sources.h - Remove; content moved. - move content to randomdev.[ch] and optimise. * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h - Remove; plugability is no longer used. Compile-time algorithm selection is the way to go. * src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h - Add early (re)boot-time randomness caching. * src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h - Remove; no longer needed. * src/sys/dev/random/uint128.h - Provide a fake uint128_t; if a real one ever arrived, we can use that instead. All that is needed here is N=0, N++, N==0, and some localised trickery is used to manufacture a 128-bit 0ULLL. * src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h - Improve unit tests; previously the testing human needed clairvoyance; now the test will do a basic check of compressibility. Clairvoyant talent is still a good idea. - This is still a long way off a proper unit test. * src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h - Improve messy union to just uint128_t. - Remove unneeded 'static struct fortuna_start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) * src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h - Improve messy union to just uint128_t. - Remove unneeded 'staic struct start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) - Fix some magic numbers elsewhere used as FAST and SLOW. Differential Revision: https://reviews.freebsd.org/D2025 Reviewed by: vsevolod,delphij,rwatson,trasz,jmg Approved by: so (delphij)
|
#
601e8bcd |
|
17-Feb-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
When the new random adaptor code was brought it in r273872, a call to randomdev_init_reader to change read_random over to the newly installed adaptor was missed. This means both read_random and arc4random (seeded from read_random) were not returning very random data. This also effects userland arc4random as it is seeded from kernel arc4random. The random devices are uneffected and have returned good randomness since the change. All keys generated with a kernel of r273872 must be regenerated with a kernel with this patch. Keys generated may be predictable. Remove the warning as log is too early to print anything, and it would always get printed due to early use of arc4random... Reviewed by: delphij, markm Approved by: so (delphij)
|
#
48e279ea |
|
07-Nov-2014 |
Konstantin Belousov <kib@FreeBSD.org> |
Fix random.ko module. - Remove duplicated sources between standard part of the kernel and module. In particular, it caused duplicated lock initialization and sysctl registration, both having bad consequences. - Add missed source files to module. - Static part of the kernel provides randomdev module, not random_adaptors. Correct dependencies. - Use cdev modules declaration macros. Approved by: secteam (delphij) Reviewed by: markm
|
#
10cb2424 |
|
30-Oct-2014 |
Mark Murray <markm@FreeBSD.org> |
This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random. This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources. The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people. The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway. Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to. My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise. My Nomex pants are on. Let the feedback commence! Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?) Approved by: so(des)
|
#
aa1c9097 |
|
09-Oct-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-add /dev/urandom for compatibility purposes.
|
#
b9887f50 |
|
08-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
Fix some just-noticed problems: o Allow this to work with "nodevice random" by fixing where the MALLOC pool is defined. o Fix the explicit reseed code. This was correct as submitted, but in the project branch doesn't need to set the "seeded" bit as this is done correctly in the "unblock" function. o Remove some debug ifdeffing. o Adjust comments.
|
#
095ed2c9 |
|
06-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
SNAPSHOT. Simplify the malloc pools; We only need one for this device. Simplify the harvest queue. Marginally improve the entropy pool hashing, making it a bit faster in the process. Connect up the hardware "live" source harvesting. This is simplistic for now, and will need to be made rate-adaptive. All of the above passes a compile test but needs to be debugged.
|
#
f02e47dc |
|
04-Oct-2013 |
Mark Murray <markm@FreeBSD.org> |
Snapshot. This passes the build test, but has not yet been finished or debugged. Contains: * Refactor the hardware RNG CPU instruction sources to feed into the software mixer. This is unfinished. The actual harvesting needs to be sorted out. Modified by me (see below). * Remove 'frac' parameter from random_harvest(). This was never used and adds extra code for no good reason. * Remove device write entropy harvesting. This provided a weak attack vector, was not very good at bootstrapping the device. To follow will be a replacement explicit reseed knob. * Separate out all the RANDOM_PURE sources into separate harvest entities. This adds some secuity in the case where more than one is present. * Review all the code and fix anything obviously messy or inconsistent. Address som review concerns while I'm here, like rename the pseudo-rng to 'dummy'. Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
|
#
7c2af621 |
|
07-Sep-2013 |
Mark Murray <markm@FreeBSD.org> |
Fix the build; Certain linkable symbols need to always be present. Pass the pointy hat please. Also unblock the software (Yarrow) generator for now. This will be reverted; Yarrow needs to block until secure, not this behaviour of serving as soon as asked. Folks with specific requiremnts will be able to (can!) unblock this device with any write, and are encouraged to do so in /etc/rc.d/* scripting. ("Any" in this case could be "echo '' > /dev/random" as root).
|
#
ddbfa6b1 |
|
24-Aug-2013 |
Mark Murray <markm@FreeBSD.org> |
1) example (partially humorous random_adaptor, that I call "EXAMPLE") * It's not meant to be used in a real system, it's there to show how the basics of how to create interfaces for random_adaptors. Perhaps it should belong in a manual page 2) Move probe.c's functionality in to random_adaptors.c * rename random_ident_hardware() to random_adaptor_choose() 3) Introduce a new way to choose (or select) random_adaptors via tunable "rngs_want" It's a list of comma separated names of adaptors, ordered by preferences. I.e.: rngs_want="yarrow,rdrand" Such setting would cause yarrow to be preferred to rdrand. If neither of them are available (or registered), then system will default to something reasonable (currently yarrow). If yarrow is not present, then we fall back to the adaptor that's first on the list of registered adaptors. 4) Introduce a way where RNGs can play a role of entropy source. This is mostly useful for HW rngs. The way I envision this is that every HW RNG will use this functionality by default. Functionality to disable this is also present. I have an example of how to use this in random_adaptor_example.c (see modload event, and init function) 5) fix kern.random.adaptors from kern.random.adaptors: yarrowpanicblock to kern.random.adaptors: yarrow,panic,block 6) add kern.random.active_adaptor to indicate currently selected adaptor: root@freebsd04:~ # sysctl kern.random.active_adaptor kern.random.active_adaptor: yarrow Submitted by: Arthur Mesh <arthurmesh@gmail.com>
|
#
5711939b |
|
09-Aug-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
* Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah * Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones. * If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed. * Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one. Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: so (des)
|
#
0e6a0799 |
|
31-Jul-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
Back out r253779 & r253786.
|
#
99ff83da |
|
29-Jul-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
Decouple yarrow from random(4) device. * Make Yarrow an optional kernel component -- enabled by "YARROW_RNG" option. The files sha2.c, hash.c, randomdev_soft.c and yarrow.c comprise yarrow. * random(4) device doesn't really depend on rijndael-*. Yarrow, however, does. * Add random_adaptors.[ch] which is basically a store of random_adaptor's. random_adaptor is basically an adapter that plugs in to random(4). random_adaptor can only be plugged in to random(4) very early in bootup. Unplugging random_adaptor from random(4) is not supported, and is probably a bad idea anyway, due to potential loss of entropy pools. We currently have 3 random_adaptors: + yarrow + rdrand (ivy.c) + nehemeiah * Remove platform dependent logic from probe.c, and move it into corresponding registration routines of each random_adaptor provider. probe.c doesn't do anything other than picking a specific random_adaptor from a list of registered ones. * If the kernel doesn't have any random_adaptor adapters present then the creation of /dev/random is postponed until next random_adaptor is kldload'ed. * Fix randomdev_soft.c to refer to its own random_adaptor, instead of a system wide one. Submitted by: arthurmesh@gmail.com, obrien Obtained from: Juniper Networks Reviewed by: obrien
|
#
d0961945 |
|
09-Jul-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
Refactor random_systat to be a *random_systat. This avoids unnecessary structure copying in random_ident_hardware(). This change will also help further modularization of random(4) subsystem. Submitted by: arthurmesh@gmail.com Reviewed by: obrien Obtained from: Juniper Networks
|
#
23b70c1a |
|
04-Jan-2011 |
Konstantin Belousov <kib@FreeBSD.org> |
Finish r210923, 210926. Mark some devices as eternal. MFC after: 2 weeks
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
8c85a7fb |
|
24-Nov-2008 |
Colin Percival <cperciva@FreeBSD.org> |
Make sure arc4random(9) is properly seeded when /etc/rc.d/initrandom returns. Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-08:11.arc4random
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
acd3428b |
|
06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
efbbe8fa |
|
20-Dec-2005 |
Paul Saab <ps@FreeBSD.org> |
Remove GIANT from device random. Submitted by: ups
|
#
4c4a94ce |
|
22-Dec-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Check O_NONBLOCK not IO_NDELAY. Don't include vnode.h
|
#
ce46e205 |
|
02-Aug-2004 |
Mark Murray <markm@FreeBSD.org> |
Add module versions.
|
#
587d5fc6 |
|
18-Jul-2004 |
Mark Murray <markm@FreeBSD.org> |
Start the entropy device insecure/unblocked. I'll be handing over responsibility for critical randomness requirements (like sshd) to rc.d/* Requested by: many
|
#
3e019dea |
|
15-Jul-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Do a pass over all modules in the kernel and make them return EOPNOTSUPP for unknown events. A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything".
|
#
39981fed |
|
01-Jul-2004 |
John Baldwin <jhb@FreeBSD.org> |
Trim a few things from the dmesg output and stick them under bootverbose to cut down on the clutter including PCI interrupt routing, MTRR, pcibios, etc. Discussed with: USENIX Cabal
|
#
89c9c53d |
|
16-Jun-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Do the dreaded s/dev_t/struct cdev */ Bump __FreeBSD_version accordingly.
|
#
41ee9f1c |
|
30-May-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add some missing <sys/module.h> includes which are masked by the one on death-row in <sys/kernel.h>
|
#
fa2d865b |
|
17-Apr-2004 |
Mark Murray <markm@FreeBSD.org> |
More removal of the abortive locking code; malloc buffers when needed, rather than potentially reusing contents.
|
#
55636152 |
|
16-Apr-2004 |
Mark Murray <markm@FreeBSD.org> |
Attempts to make this device Giant-free were ill-conceived as uiomove(9) is not properly locked. So, return to NEEDGIANT mode. Later, when uiomove is finely locked, I'll revisit. While I'm here, provide some temporary debugging output to help catch blocking startups.
|
#
f587c6bf |
|
12-Apr-2004 |
Mark Murray <markm@FreeBSD.org> |
Fix "sleeping without a mutex" panic.
|
#
e7806b4c |
|
09-Apr-2004 |
Mark Murray <markm@FreeBSD.org> |
Reorganise the entropy device so that high-yield entropy sources can more easily be used INSTEAD OF the hard-working Yarrow. The only hardware source used at this point is the one inside the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will be added in due course. Contributions welcome!
|
#
dc08ffec |
|
21-Feb-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Device megapatch 4/6: Introduce d_version field in struct cdevsw, this must always be initialized to D_VERSION. Flip sense of D_NOGIANT flag to D_NEEDGIANT, this involves removing four D_NOGIANT flags and adding 145 D_NEEDGIANT flags.
|
#
74cf5855 |
|
12-Feb-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Correct the cleanup of the alias dev_t for /dev/urandom: being an alias it depends on the aliased dev_t and disappears automatically when that is removed. Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
|
#
4e3a7a14 |
|
20-Nov-2003 |
Mark Murray <markm@FreeBSD.org> |
Fix a major faux pas of mine. I was causing 2 very bad things to happen in interrupt context; 1) sleep locks, and 2) malloc/free calls. 1) is fixed by using spin locks instead. 2) is fixed by preallocating a FIFO (implemented with a STAILQ) and using elements from this FIFO instead. This turns out to be rather fast. OK'ed by: re (scottl) Thanks to: peter, jhb, rwatson, jake Apologies to: *
|
#
0887c8c1 |
|
17-Nov-2003 |
Mark Murray <markm@FreeBSD.org> |
Overhaul the entropy device: o Each source gets its own queue, which is a FIFO, not a ring buffer. The FIFOs are implemented with the sys/queue.h macros. The separation is so that a low entropy/high rate source can't swamp the harvester with low-grade entropy and destroy the reseeds. o Each FIFO is limited to 256 (set as a macro, so adjustable) events queueable. Full FIFOs are ignored by the harvester. This is to prevent memory wastage, and helps to keep the kernel thread CPU usage within reasonable limits. o There is no need to break up the event harvesting into ${burst} sized chunks, so retire that feature. o Break the device away from its roots with the memory device, and allow it to get its major number automagically.
|
#
512824f8 |
|
09-Nov-2003 |
Seigo Tanimura <tanimura@FreeBSD.org> |
- Implement selwakeuppri() which allows raising the priority of a thread being waken up. The thread waken up can run at a priority as high as after tsleep(). - Replace selwakeup()s with selwakeuppri()s and pass appropriate priorities. - Add cv_broadcastpri() which raises the priority of the broadcast threads. Used by selwakeuppri() if collision occurs. Not objected in: -arch, -current
|
#
f7575892 |
|
02-Nov-2003 |
Mark Murray <markm@FreeBSD.org> |
Make sure we get all user-written input. This simplifies the code considerably. Submitted by: (forgotten) [I'll happily acknowledge the submitter if he owns up!]
|
#
aad970f1 |
|
24-Aug-2003 |
David E. O'Brien <obrien@FreeBSD.org> |
Use __FBSDID(). Also some minor style cleanups.
|
#
68c2a41e |
|
02-Jul-2003 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Change the sleep identifier to "-" where random normally sleeps.
|
#
7ac40f5f |
|
02-Mar-2003 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Gigacommit to improve device-driver source compatibility between branches: Initialize struct cdevsw using C99 sparse initializtion and remove all initializations to default values. This patch is automatically generated and has been tested by compiling LINT with all the fields in struct cdevsw in reverse order on alpha, sparc64 and i386. Approved by: re(scottl)
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
316ec49a |
|
02-Oct-2002 |
Scott Long <scottl@FreeBSD.org> |
Some kernel threads try to do significant work, and the default KSTACK_PAGES doesn't give them enough stack to do much before blowing away the pcb. This adds MI and MD code to allow the allocation of an alternate kstack who's size can be speficied when calling kthread_create. Passing the value 0 prevents the alternate kstack from being created. Note that the ia64 MD code is missing for now, and PowerPC was only partially written due to the pmap.c being incomplete there. Though this patch does not modify anything to make use of the alternate kstack, acpi and usb are good candidates. Reviewed by: jake, peter, jhb
|
#
a0a95ace |
|
21-Sep-2002 |
Mark Murray <markm@FreeBSD.org> |
Remove #ifdef'ed Giant mutex wrappers round debugging statements.
|
#
44731cab |
|
01-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag. Discussed on: smp@
|
#
4a7cdfd7 |
|
03-Mar-2002 |
Mark Murray <markm@FreeBSD.org> |
Provide infrastructure for harvesting SWI entropy.
|
#
e1199601 |
|
03-Mar-2002 |
Mark Murray <markm@FreeBSD.org> |
Massive lint-inspired cleanup. Remove unneeded includes. Deal with unused function arguments. Resolve a boatload of signed/unsigned imcompatabilities. Etc.
|
#
a854ed98 |
|
27-Feb-2002 |
John Baldwin <jhb@FreeBSD.org> |
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
|
#
19f15659 |
|
26-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Modify open() and close() for /dev/random to use securelevel_gt() instead of direct securelevel variable checks. Obtained from: TrustedBSD Project
|
#
ed01445d |
|
21-Sep-2001 |
John Baldwin <jhb@FreeBSD.org> |
Use the passed in thread to selrecord() instead of curthread.
|
#
b40ce416 |
|
12-Sep-2001 |
Julian Elischer <julian@FreeBSD.org> |
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
|
#
fb919e4d |
|
01-May-2001 |
Mark Murray <markm@FreeBSD.org> |
Undo part of the tangle of having sys/lock.h and sys/mutex.h included in other "system" header files. Also help the deprecation of lockmgr.h by making it a sub-include of sys/lock.h and removing sys/lockmgr.h form kernel .c files. Sort sys/*.h includes where possible in affected files. OK'ed by: bde (with reservations)
|
#
f8388051 |
|
25-Mar-2001 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Send the remains (such as I have located) of "block major numbers" to the bit-bucket.
|
#
41bc9751 |
|
24-Mar-2001 |
Mark Murray <markm@FreeBSD.org> |
Allow bog-standard ioctls through. There are really handled in higher layers, but there needs to be a "no-error" return here.
|
#
02c986ab |
|
09-Mar-2001 |
Mark Murray <markm@FreeBSD.org> |
Very large makeover of the /dev/random driver. o Separate the kernel stuff from the Yarrow algorithm. Yarrow is now well contained in one source file and one header. o Replace the Blowfish-based crypto routines with Rijndael-based ones. (Rijndael is the new AES algorithm). The huge improvement in Rijndael's key-agility over Blowfish means that this is an extremely dramatic improvement in speed, and makes a heck of a difference in its (lack of) CPU load. o Clean up the sysctl's. At BDE's prompting, I have gone back to static sysctls. o Bug fixes. The streamlining of the crypto stuff enabled me to find and fix some bugs. DES also found a bug in the reseed routine which is fixed. o Change the way reseeds clear "used" entropy. Previously, only the source(s) that caused a reseed were cleared. Now all sources in the relevant pool(s) are cleared. o Code tidy-up. Mostly to make it (nearly) 80-column compliant.
|
#
14636c3b |
|
18-Feb-2001 |
Mark Murray <markm@FreeBSD.org> |
Provide the infrastructure for sysadmins to select the broad class of entropy harvesting they wish to perform: "ethernet" (LAN), point-to-point and interrupt.
|
#
b79ad7e6 |
|
14-Jan-2001 |
Mark Murray <markm@FreeBSD.org> |
Remove NOBLOCKRANDOM as a compile-time option. Instead, provide exactly the same functionality via a sysctl, making this feature a run-time option. The default is 1(ON), which means that /dev/random device will NOT block at startup. setting kern.random.sys.seeded to 0(OFF) will cause /dev/random to block until the next reseed, at which stage the sysctl will be changed back to 1(ON). While I'm here, clean up the sysctls, and make them dynamic. Reviewed by: des Tested on Alpha by: obrien
|
#
0a2c3d48 |
|
08-Jan-2001 |
Garrett Wollman <wollman@FreeBSD.org> |
select() DKI is now in <sys/selinfo.h>.
|
#
5d4e386e |
|
25-Nov-2000 |
Mark Murray <markm@FreeBSD.org> |
D'uh. The explicit reseed was happening at the wrong security/privelige levels.
|
#
50636159 |
|
25-Nov-2000 |
Mark Murray <markm@FreeBSD.org> |
Greatly improve the boot-up unblocking time of the entropy device.
|
#
cf9fa8e7 |
|
29-Oct-2000 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Move suser() and suser_xxx() prototypes and a related #define from <sys/proc.h> to <sys/systm.h>. Correctly document the #includes needed in the manpage. Add one now needed #include of <sys/systm.h>. Remove the consequent 48 unused #includes of <sys/proc.h>.
|
#
5f3431b5 |
|
27-Oct-2000 |
Mark Murray <markm@FreeBSD.org> |
As the blocking model has seems to be troublesome for many, disable it for now with an option. This option is already deprecated, and will be removed when the entropy-harvesting code is fast enough to warrant it.
|
#
93d88e00 |
|
18-Oct-2000 |
Peter Wemm <peter@FreeBSD.org> |
Attempt to fix the random read blocking. The old code slept at priority "0" and without PCATCH, so it was uninterruptable. And even when it did wake up after entropy arrived, it exited after the wakeup without actually reading the freshly arrived entropy. I sent this to Mark before but it seems he is in transit. Mark: feel free to replace this if it gets in your way.
|
#
a6278a2a |
|
14-Oct-2000 |
Mark Murray <markm@FreeBSD.org> |
After some complaints about the dir names, the random device is now in dirs called sys/*/random/ instead of sys/*/randomdev/*. Introduce blocking, but only at startup; the random device will block until the first reseed happens to prevent clients from using untrustworthy output. Provide a read_random() call for the rest of the kernel so that the entropy device does not need to be present. This means that things like IPX no longer need to have "device random" hardcoded into thir kernel config. The downside is that read_random() will provide very poor output until the entropy device is loaded and reseeded. It is recommended that developers do NOT use the read_random() call; instead, they should use arc4random() which internally uses read_random(). Clean up the mutex and locking code a bit; this makes it possible to unload the module again.
|
#
4a8612fd |
|
21-Sep-2000 |
Mark Murray <markm@FreeBSD.org> |
Remove unneeded includes. Submitted by: phk
|
#
c4ff4a84 |
|
18-Sep-2000 |
Robert Watson <rwatson@FreeBSD.org> |
Include <sys/proc.h> to silence suser() compiler warning. Approved by: markm
|
#
d0d51934 |
|
12-Sep-2000 |
Mark Murray <markm@FreeBSD.org> |
The "struct proc" argument to read_random was ill-conceived, and a hangover from previous experimentation. Remove it. This will clean up gratuitous needs for forward references and other namespace pollution. Moaned about by: bde Brought to my attention by: bp
|
#
4d87a031 |
|
10-Sep-2000 |
Mark Murray <markm@FreeBSD.org> |
Large upgrade to the entropy device; mainly inspired by feedback from many folk. o The reseed process is now a kthread. With SMPng, kthreads are pre-emptive, so the annoying jerkiness of the mouse is gone. o The data structures are protected by mutexes now, not splfoo()/splx(). o The cryptographic routines are broken out into their own subroutines. this facilitates review, and possible replacement if that is ever found necessary. Thanks to: kris, green, peter, jasone, grog, jhb Forgotten to thank: You know who you are; no offense intended.
|
#
7aa4389a |
|
25-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
o Fix a horrible bug where small reads (< 8 bytes) would return the wrong bytes. o Improve the public interface; use void* instead of char* or u_int64_t to pass arbitrary data around. Submitted by: kris ("horrible bug")
|
#
720a3741 |
|
16-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Add randomness write functionality. This does absolutely nothing for entropy estimation, but causes an immediate reseed after the input (read in sizeof(u_int64_t) chunks) is "harvested". This will be used in the reboot "reseeder", coming in another commit. This can be used very effectively at any time you think your randomness is compromised; something like # (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random will give the attacker something to think about.
|
#
769afb04 |
|
09-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Fix bug with a vraiable that needs to be per-process, not static; fix formatting of long macros. Pointed out by: bde
|
#
c9ec235c |
|
07-Jul-2000 |
Mark Murray <markm@FreeBSD.org> |
Add entropy gathering code. This will work whether the module is compiled in or loaded.
|
#
d44f4017 |
|
28-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
Staticize a variable. This fixes the case where linking randomdev into the kernel statically can cause panics at shutdown time. Reported by: sos
|
#
1f67cd87 |
|
27-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
I am guilty of an act of ommission. There is no longer a /dev/urandom device with Yarrow, and although I coded for that in dev/MAKEDEV, I forgot to _tell_ folks. This commit adds back the /dev/urandom device (as a duplicate) of /dev/random, until such time as it can be properly announced. This will help the openssl users quite a lot.
|
#
d4262fb0 |
|
25-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
style(9) fixes from BDE. We shouldn't use '#include ""', rather '#include<>'.
|
#
39d93857 |
|
25-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
Fix include for the non-module case. Thanks-to: SOS
|
#
4db9ae91 |
|
25-Jun-2000 |
Mark Murray <markm@FreeBSD.org> |
New machine-independant /dev/random driver. This is work-in-progress, and the entropy-gathering routines are not yet present. As such, this should be viewed as a pretty reasonable PRNG with _ABSOLUTELY_NO_ security!! Entropy gathering will be the subject of ongoing work. This is written as a module, and as such is unloadable, but there is no refcounting done. I would like to use something like device_busy(9) to achieve this (eventually). Lots of useful ideas from: bde, phk, Jeroen van Gelderen Reviewed by: dfr
|