summaryrefslogtreecommitdiffstats
path: root/sys/sys/random.h
Commit message (Collapse)AuthorAgeFilesLines
* Remove opt_random.h header pollution from sys/random.h by movingngie2015-09-081-2/+0
| | | | | | | | | | | | | RANDOM_LOADABLE and RANDOM_YARROW's definitions from opt_random.h to opt_global.h This unbreaks `make depend` in sys/modules with multiple drivers (tmpfs, etc) after r286839 X-MFC with: r286839 Reviewed by: imp Submitted by: lwhsu Differential Revision: D3486
* Make the UMA harvesting go away completely if not wanted. Default to "not ↵markm2015-08-221-3/+11
| | | | | | | | | | | | | | | | wanted". Provide and document the RANDOM_ENABLE_UMA option. Change RANDOM_FAST to RANDOM_UMA to clarify the harvesting. Remove RANDOM_DEBUG option, replace with SDT probes. These will be of use to folks measuring the harvesting effect when deciding whether to use RANDOM_ENABLE_UMA. Requested by: scottl and others. Approved by: so (/dev/random blanket) Differential Revision: https://reviews.freebsd.org/D3197
* Add DEV_RANDOM pseudo-option and use it to "include out" random(4)markm2015-08-171-6/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if desired. Retire randomdev_none.c and introduce random_infra.c for resident infrastructure. Completely stub out random(4) calls in the "without DEV_RANDOM" case. Add RANDOM_LOADABLE option to allow loadable Yarrow/Fortuna/LocallyWritten algorithm. Add a skeleton "other" algorithm framework for folks to add their own processing code. NIST, anyone? Retire the RANDOM_DUMMY option. Build modules for Yarrow, Fortuna and "other". Use atomics for the live entropy rate-tracking. Convert ints to bools for the 'seeded' logic. Move _write() function from the algorithm-specific areas to randomdev.c Get rid of reseed() function - it is unused. Tidy up the opt_*.h includes. Update documentation for random(4) modules. Fix test program (reviewers, please leave this). Differential Revision: https://reviews.freebsd.org/D3354 Reviewed by: wblock,delphij,jmg,bjk Approved by: so (/dev/random blanket)
* Implement the CloudABI random_get() system call.ed2015-07-141-0/+5
| | | | | | | | | | | | | | The random_get() system call works similar to getentropy()/getrandom() on OpenBSD/Linux. It fills a buffer with random data. This change introduces a new function, read_random_uio(), that is used to implement read() on the random devices. We can call into this function from within the CloudABI compatibility layer. Approved by: secteam Reviewed by: jmg, markm, wblock Obtained from: https://github.com/NuxiNL/freebsd Differential Revision: https://reviews.freebsd.org/D3053
* Huge cleanup of random(4) code.markm2015-06-301-5/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * GENERAL - Update copyright. - Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set neither to ON, which means we want Fortuna - If there is no 'device random' in the kernel, there will be NO random(4) device in the kernel, and the KERN_ARND sysctl will return nothing. With RANDOM_DUMMY there will be a random(4) that always blocks. - Repair kern.arandom (KERN_ARND sysctl). The old version went through arc4random(9) and was a bit weird. - Adjust arc4random stirring a bit - the existing code looks a little suspect. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Redo read_random(9) so as to duplicate random(4)'s read internals. This makes it a first-class citizen rather than a hack. - Move stuff out of locked regions when it does not need to be there. - Trim RANDOM_DEBUG printfs. Some are excess to requirement, some behind boot verbose. - Use SYSINIT to sequence the startup. - Fix init/deinit sysctl stuff. - Make relevant sysctls also tunables. - Add different harvesting "styles" to allow for different requirements (direct, queue, fast). - Add harvesting of FFS atime events. This needs to be checked for weighing down the FS code. - Add harvesting of slab allocator events. This needs to be checked for weighing down the allocator code. - Fix the random(9) manpage. - Loadable modules are not present for now. These will be re-engineered when the dust settles. - Use macros for locks. - Fix comments. * src/share/man/... - Update the man pages. * src/etc/... - The startup/shutdown work is done in D2924. * src/UPDATING - Add UPDATING announcement. * src/sys/dev/random/build.sh - Add copyright. - Add libz for unit tests. * src/sys/dev/random/dummy.c - Remove; no longer needed. Functionality incorporated into randomdev.*. * live_entropy_sources.c live_entropy_sources.h - Remove; content moved. - move content to randomdev.[ch] and optimise. * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h - Remove; plugability is no longer used. Compile-time algorithm selection is the way to go. * src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h - Add early (re)boot-time randomness caching. * src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h - Remove; no longer needed. * src/sys/dev/random/uint128.h - Provide a fake uint128_t; if a real one ever arrived, we can use that instead. All that is needed here is N=0, N++, N==0, and some localised trickery is used to manufacture a 128-bit 0ULLL. * src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h - Improve unit tests; previously the testing human needed clairvoyance; now the test will do a basic check of compressibility. Clairvoyant talent is still a good idea. - This is still a long way off a proper unit test. * src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h - Improve messy union to just uint128_t. - Remove unneeded 'static struct fortuna_start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) * src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h - Improve messy union to just uint128_t. - Remove unneeded 'staic struct start_cache'. - Tighten up up arithmetic. - Provide a method to allow eternal junk to be introduced; harden it against blatant by compress/hashing. - Assert that locks are held correctly. - Fix the nasty pre- and post-read overloading by providing explictit functions to do these tasks. - Turn into self-sufficient module (no longer requires randomdev_soft.[ch]) - Fix some magic numbers elsewhere used as FAST and SLOW. Differential Revision: https://reviews.freebsd.org/D2025 Reviewed by: vsevolod,delphij,rwatson,trasz,jmg Approved by: so (delphij)
* This is the much-discussed major upgrade to the random(4) device, known to ↵markm2014-10-301-17/+12
| | | | | | | | | | | | | | | | | | | you all as /dev/random. This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources. The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people. The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway. Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to. My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise. My Nomex pants are on. Let the feedback commence! Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?) Approved by: so(des)
* Add very simple virtio_random(4) driver to harvest entropy from hostbryanv2014-01-181-0/+1
| | | | Reviewed by: markm (random bits only)
* Convert the random entropy harvesting code to use a const void * pointeradrian2013-11-011-1/+1
| | | | | | | | | | | rather than just void *. Then, as part of this, convert a couple of mbuf m->m_data accesses to mtod(m, const void *). Reviewed by: markm Approved by: security-officer (delphij) Sponsored by: Netflix, Inc.
* Define RANDOM_PURE_RNDTEST for rndtest(4).des2013-10-091-0/+1
|
* Make a mildly sylistic change to the order of sources in this enum.markm2013-10-081-1/+1
|
* Add YARROW_RNG and FORTUNA_RNG to sys/conf/options.des2013-10-081-0/+1
| | | | | | | | | | Add a SYSINIT that forces a reseed during proc0 setup, which happens fairly late in the boot process. Add a RANDOM_DEBUG option which enables some debugging printf()s. Add a new RANDOM_ATTACH entropy source which harvests entropy from the get_cyclecount() delta across each call to a device attach method.
* Snapshot.markm2013-10-061-2/+1
| | | | | | | | Looking pretty good; this mostly works now. New code includes: * Read cached entropy at startup, both from files and from loader(8) preloaded entropy. Failures are soft, but announced. Untested. * Use EVENTHANDLER to do above just before we go multiuser. Untested.
* Snapshot. This passes the build test, but has not yet been finished or debugged.markm2013-10-041-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | Contains: * Refactor the hardware RNG CPU instruction sources to feed into the software mixer. This is unfinished. The actual harvesting needs to be sorted out. Modified by me (see below). * Remove 'frac' parameter from random_harvest(). This was never used and adds extra code for no good reason. * Remove device write entropy harvesting. This provided a weak attack vector, was not very good at bootstrapping the device. To follow will be a replacement explicit reseed knob. * Separate out all the RANDOM_PURE sources into separate harvest entities. This adds some secuity in the case where more than one is present. * Review all the code and fix anything obviously messy or inconsistent. Address som review concerns while I'm here, like rename the pseudo-rng to 'dummy'. Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)
* Snapshot; Do some running repairs on entropy harvesting. More needs to follow.markm2013-08-261-2/+6
|
* Add a note ahea of the esource enum that if new entropy sourcerwatson2004-10-121-0/+4
| | | | | categories are added, the set of entropy source assertions in the harvesting code also need to be updated.
* add RANDOM_PURE for use by crypto drivers that harvest data from h/w RNG'ssam2002-10-041-0/+1
|
* Provide infrastructure for harvesting SWI entropy.markm2002-03-031-1/+2
|
* Massive lint-inspired cleanup.markm2002-03-031-4/+11
| | | | | | | Remove unneeded includes. Deal with unused function arguments. Resolve a boatload of signed/unsigned imcompatabilities. Etc.
* Provide the infrastructure for sysadmins to select the broad classmarkm2001-02-181-0/+11
| | | | | of entropy harvesting they wish to perform: "ethernet" (LAN), point-to-point and interrupt.
* Add a constant for the (to be committed at a later time) irq-entropymarkm2000-11-251-2/+2
| | | | harvester.
* The "struct proc" argument to read_random was ill-conceived, and amarkm2000-09-121-3/+1
| | | | | | | | hangover from previous experimentation. Remove it. This will clean up gratuitous needs for forward references and other namespace pollution. Moaned about by: bde Brought to my attention by: bp
* Forward declare 'struct proc'.jhb2000-09-111-0/+2
| | | | Requested by: bde
* Large upgrade to the entropy device; mainly inspired by feedbackmarkm2000-09-101-1/+1
| | | | | | | | | | | | | | | | from many folk. o The reseed process is now a kthread. With SMPng, kthreads are pre-emptive, so the annoying jerkiness of the mouse is gone. o The data structures are protected by mutexes now, not splfoo()/splx(). o The cryptographic routines are broken out into their own subroutines. this facilitates review, and possible replacement if that is ever found necessary. Thanks to: kris, green, peter, jasone, grog, jhb Forgotten to thank: You know who you are; no offense intended.
* o Fix a horrible bug where small reads (< 8 bytes) would return themarkm2000-07-251-4/+5
| | | | | | | | wrong bytes. o Improve the public interface; use void* instead of char* or u_int64_t to pass arbitrary data around. Submitted by: kris ("horrible bug")
* Clean this up with some BDE-inspired fixes.markm2000-07-231-3/+2
| | | | | | | | | | | o Make the comments KNF-compliant. o Use nanotime instead of getnanotime; the manpage lies about the kern.timecounter.method - it has been removed. o Fix the ENTROPYSOURCE const permanently. o Make variable names more consistent. o Make function prototypes more consistent. Some more needs to be done; to follow.
* Add randomness write functionality. This does absolutely nothing formarkm2000-07-171-1/+1
| | | | | | | | | | | | | entropy estimation, but causes an immediate reseed after the input (read in sizeof(u_int64_t) chunks) is "harvested". This will be used in the reboot "reseeder", coming in another commit. This can be used very effectively at any time you think your randomness is compromised; something like # (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random will give the attacker something to think about.
* Yarrow tweaks; separate the fast and slow reseed tasks so that they don'tmarkm2000-07-091-0/+1
| | | | | stomp on each other; provide constant names (as enums) for the harvester to use (makes it more self-documenting).
* Darn; didn't commit this with the rest of the entropy gathering code.markm2000-07-071-0/+6
|
* Forgot this earlier; delete the old /dev/random driver, bring in themarkm2000-06-251-76/+20
| | | | | header for the new. Reviewed by: dfr
* Updated the name of the idempotency macro to match the move of this file.bde2000-04-301-3/+4
| | | | Fixed a missing forward declaration.
* Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"peter1999-12-291-2/+2
| | | | | | is an application space macro and the applications are supposed to be free to use it as they please (but cannot). This is consistant with the other BSD's who made this change quite some time ago. More commits to come.
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Converted add_interrupt_randomness() to take a `void *' arg. Rewrotebde1998-06-211-5/+8
| | | | | | | mmioctl() to fix hundreds of style bugs and a few error handling bugs (don't check for superuser privilege for inappropriate ioctls, don't check the input arg for the output-only MEM_RETURNIRQ ioctl, and don't return EPERM for null changes).
* Changed the type of an isa/general interrupt handler to take abde1998-06-181-2/+2
| | | | | | `void *' arg. Fixed or hid most of the resulting type mismatches. Handlers can now be updated locally (except for reworking their global declarations in isa_device.h).
* Make read_random() take a (void *) argument instead of (char *)phk1998-04-061-3/+3
|
* Update select -> poll in drivers.peter1997-09-141-2/+2
|
* Removed #include of <i386/isa/isa_device.h>. inthand2_t is declared in abde1997-06-071-4/+1
| | | | better place now.
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Drat, missed this prototype for random_select().peter1996-09-271-1/+2
|
* Cleaned up all headers that include <sys/ioctl.h> or <sys/ioccom.h>:bde1996-09-211-2/+2
| | | | | | | | | | | | | - don't include <sys/ioctl.h> in any header. Include <sys/ioccom.h> instead. This was already done in 4.4Lite for the most important ioctl headers. Header spam currently increases kernel build times by 10-20%. There are more than 30000 #includes (not counting duplicates) for compiling LINT. - include <sys/types.h> if and only it is necessary to make the header almost self-sufficient (some ioctl headers still need structs from elsewhere). - uniformized idempotency ifdefs. Copied the style in the 4.4Lite ioctl headers.
* Second phase of merge, get rid of more machine-independent-dependencies.asami1996-09-031-5/+1
| | | | | | Get rid of pc98/pc98/pc98_device.h. Submitted by: The FreeBSD(98) Development Team
* Reduced nesting of #includes in random.h and adjusted isa/random_machdep.cbde1996-06-171-17/+15
| | | | | | to match (pc98/random_machdep.c probably requires a similar change). This is a problem area for the PC98 merge - all PC98 ifdefs in <machine/*.h> are kludges to work around incorrect layering.
* The Great PC98 Merge.asami1996-06-141-1/+6
| | | | | | | | All new code is "#ifdef PC98"ed so this should make no difference to PC/AT (and its clones) users. Ok'd by: core Submitted by: FreeBSD(98) development team
* Fix a bunch of spelling errors in the comment fields ofmpp1996-01-301-2/+2
| | | | a bunch of system include files.
* 1) ifdef out some unused functions (for now)markm1995-12-291-0/+7
| | | | | | | 2) improve 586 support 3) add 686 support 4) clean up comments etc Submitted by: bde
* Clean up and make more universal. Next version of random device.markm1995-12-271-5/+16
|
* Theodore Ts'po's random number gernerator for Linux, ported by me.markm1995-10-281-0/+72
This code will only be included in your kernel if you have 'options DEVRANDOM', but that will fall away in a couple of days. Obtained from: Theodore Ts'o, Linux
OpenPOWER on IntegriCloud