tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: rework rndsink and cprng locking
Date: Mon, 17 Jun 2013 03:30:55 +0000
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
The attached patch reworks the rndsink(9) abstraction to simplify it
and fix various races, and rework the implementation (but not the
crypto) of cprng(9) in the process. Comments?
Some discussion with rmind@ today revealed a (highly unlikely) race
that could cause a read from /dev/random to hang indefinitely even
though entropy is available. Attached is an updated patch that fixes
it by adding a hook for rndsink callbacks to use under their internal
locks to mark an rndsink ready for requeueing.
commit ca26baaef98625b0ba3670380c4e4dd46092adf9
Author: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed Apr 10 20:40:27 2013 +0000
Rework rndsink(9) abstraction and adapt arc4random(9) and cprng(9).
rndsink(9):
- Simplify API.
- Simplify locking scheme.
- Add a man page.
- Avoid races in destruction.
- Avoid races in requesting entropy now and scheduling entropy later.
Periodic distribution of entropy to sinks reduces the need for the
last one, but this way we don't need to rely on periodic distribution
(e.g., in a future tickless NetBSD).
rndsinks_lock should probably eventually merge with the rndpool lock,
but we'll put that off for now.
cprng(9):
- Make struct cprng_strong opaque.
- Move rndpseudo.c parts that futz with cprng guts to subr_cprng.c.
- Fix kevent locking. (Is kevent locking documented anywhere?)
- Stub out rump cprng further until we can rumpify rndsink instead.
- Strip code to grovel through struct cprng_strong in fstat.
diff --git a/share/man/man9/rndsink.9 b/share/man/man9/rndsink.9
new file mode 100644
index 0000000..83eb015
--- /dev/null
+++ b/share/man/man9/rndsink.9
@@ -0,0 +1,161 @@
+.\" $NetBSD$
+.\"
+.\" Copyright (c) 2013 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This documentation is derived from text contributed to The NetBSD
+.\" Foundation by Taylor R. Campbell.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 17, 2013
+.Dt RNDSINK 9
+.Os
+.Sh NAME
+.Nm rndsink ,
+.Nm rndsink_create ,
+.Nm rndsink_destroy ,
+.Nm rndsink_request ,
+.Nm rndsink_schedule ,
+.Nm rndsink_commit ,
+.Nd functions to asynchronously request entropy from the system entropy pool
+.Sh SYNOPSIS
+.In sys/rndsink.h
+.Ft struct rndsink *
+.Fn rndsink_create "size_t bytes" "void (*callback)(void *, const void *,
size_t)" "void *arg"
+.Ft void
+.Fn rndsink_destroy "struct rndsink *rndsink"
+.Ft bool
+.Fn rndsink_request "struct rndsink *rndsink" "void *buffer" "size_t bytes"
+.Ft void
+.Fn rndsink_schedule "struct rndsink *rndsink"
+.Ft void
+.Fn rndsink_commit "struct rndsink *rndsink"
+.Sh DESCRIPTION
+The
+.Nm
+functions support asynchronous requests for entropy from the system
+entropy pool.
+Users must call
+.Fn rndsink_create
+to create an rndsink which they may then pass to
+.Fn rndsink_request
+to request data from the system entropy pool.
+If full entropy is not available, the system will call a callback when
+entropy is next available.
+Users can schedule a callback without requesting data now using
+.Fn rndsink_schedule .
+When users no longer need an rndsink, they must pass it to
+.Fn rndsink_destroy .
+.Pp
+This API provides direct access to the system entropy pool.
+Most users should use the
+.Xr cprng 9
+API instead, which interposes a cryptographic pseudorandom number
+generator between the user and the entropy pool.
+.Sh FUNCTIONS
+.Bl -tag -width abcd
+.It Fn rndsink_create bytes callback arg
+Create an rndsink for requests of
+.Fa bytes
+bytes of entropy, which must be no more than
+.Dv RNDSINK_MAX_BYTES .
+When requested and enough entropy is available, the system will call
+.Fa callback
+with three arguments:
+.Bl -item -offset indent
+.It
+.Fa arg ,
+an arbitrary user-supplied pointer;
+.It
+a pointer to a buffer containing the bytes of entropy; and
+.It
+the number of bytes in the buffer, which will always be
+.Fa bytes .
+.El
+.Pp
+The callback will be called in soft interrupt context.
+When the callback has used the entropy, it must call
+.Fn rndsink_commit
+under any of its own internal locks, in order to enable future
+callbacks.
+.Pp
+.Fn rndsink_create
+may sleep to allocate memory.
+.It Fn rndsink_destroy rndsink
+Destroy an rndsink.
+.Fn rndsink_destroy
+may sleep to wait for pending callbacks to complete and to deallocate
+memory.
+.It Fn rndsink_request rndsink buffer bytes
+Store
+.Fa bytes
+bytes derived from the system entropy pool in
+.Fa buffer .
+If the bytes have full entropy, return true.
+Otherwise, schedule a callback as if with
+.Fn rndsink_schedule
+and return false.
+In either case,
+.Fn rndsink_request
+will store data in
+.Fa buffer .
+The argument
+.Fa bytes
+must be the same as the argument to
+.Fn rndsink_create
+that was used to create
+.Fa rndsink .
+May be called at
+.Dv IPL_VM
+or lower.
+The caller should use
+.Xr explicit_bzero 3
+to clear
+.Fa buffer
+once it has used the data stored there.
+.It Fn rndsink_schedule rndsink
+Schedule a callback when the system entropy pool has enough entropy.
+If a callback is already scheduled, it remains scheduled.
+May be called at
+.Dv IPL_VM
+or lower.
+.It Fn rndsink_commit rndsink
+Enable future callbacks by the rndsink after one has begun.
+Must be called by the callback under any of the callback's internal
+locks when the callback has used the provided entropy.
+May be called under
+.Dv IPL_VM
+or lower.
+.El
+.Sh CODE REFERENCES
+The rndsink API is implemented in
+.Pa sys/kern/kern_rndsink.c
+and
+.Pa sys/sys/rndsink.h .
+.Sh SEE ALSO
+.Xr explicit_bzero 3 ,
+.Xr cprng 9 ,
+.Xr rnd 9
+.Sh HISTORY
+The rndsink API first appeared in
+.Nx 7.0 .
diff --git a/sys/conf/files b/sys/conf/files
index c8bff34..7cf95fe 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1524,6 +1524,7 @@ file kern/kern_rate.c
file kern/kern_resource.c
file kern/kern_rndpool.c
file kern/kern_rndq.c
+file kern/kern_rndsink.c
file kern/kern_runq.c
file kern/kern_rwlock.c
file kern/kern_rwlock_obj.c
diff --git a/sys/dev/rndpseudo.c b/sys/dev/rndpseudo.c
index 5787062..3bbb522 100644
--- a/sys/dev/rndpseudo.c
+++ b/sys/dev/rndpseudo.c
@@ -679,12 +679,10 @@ rnd_poll(struct file *fp, int events)
}
}
- if (cprng_strong_ready(ctx->cprng)) {
- revents |= events & (POLLIN | POLLRDNORM);
+ if (ctx->hard) {
+ revents |= cprng_strong_poll(ctx->cprng, events);
} else {
- mutex_enter(&ctx->cprng->mtx);
- selrecord(curlwp, &ctx->cprng->selq);
- mutex_exit(&ctx->cprng->mtx);
+ revents |= (events & (POLLIN | POLLRDNORM));
}
return (revents);
@@ -723,39 +721,10 @@ rnd_close(struct file *fp)
return 0;
}
-static void
-filt_rnddetach(struct knote *kn)
-{
- cprng_strong_t *c = kn->kn_hook;
-
- mutex_enter(&c->mtx);
- SLIST_REMOVE(&c->selq.sel_klist, kn, knote, kn_selnext);
- mutex_exit(&c->mtx);
-}
-
-static int
-filt_rndread(struct knote *kn, long hint)
-{
- cprng_strong_t *c = kn->kn_hook;
-
- if (cprng_strong_ready(c)) {
- kn->kn_data = RND_TEMP_BUFFER_SIZE;
- return 1;
- }
- return 0;
-}
-
-static const struct filterops rnd_seltrue_filtops =
- { 1, NULL, filt_rnddetach, filt_seltrue };
-
-static const struct filterops rndread_filtops =
- { 1, NULL, filt_rnddetach, filt_rndread };
-
static int
rnd_kqfilter(struct file *fp, struct knote *kn)
{
rp_ctx_t *ctx = fp->f_data;
- struct klist *klist;
if (ctx->cprng == NULL) {
rnd_alloc_cprng(ctx);
@@ -764,27 +733,5 @@ rnd_kqfilter(struct file *fp, struct knote *kn)
}
}
- mutex_enter(&ctx->cprng->mtx);
- switch (kn->kn_filter) {
- case EVFILT_READ:
- klist = &ctx->cprng->selq.sel_klist;
- kn->kn_fop = &rndread_filtops;
- break;
-
- case EVFILT_WRITE:
- klist = &ctx->cprng->selq.sel_klist;
- kn->kn_fop = &rnd_seltrue_filtops;
- break;
-
- default:
- mutex_exit(&ctx->cprng->mtx);
- return EINVAL;
- }
-
- kn->kn_hook = ctx->cprng;
-
- SLIST_INSERT_HEAD(klist, kn, kn_selnext);
-
- mutex_exit(&ctx->cprng->mtx);
- return (0);
+ return cprng_strong_kqfilter(ctx->cprng, kn);
}
diff --git a/sys/kern/kern_rndq.c b/sys/kern/kern_rndq.c
index 0497aa8..4ecab79 100644
--- a/sys/kern/kern_rndq.c
+++ b/sys/kern/kern_rndq.c
@@ -48,6 +48,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_rndq.c,v 1.12 2013/06/13
01:37:03 tls Exp $");
#include <sys/callout.h>
#include <sys/intr.h>
#include <sys/rnd.h>
+#include <sys/rndsink.h>
#include <sys/vnode.h>
#include <sys/pool.h>
#include <sys/kauth.h>
@@ -104,17 +105,6 @@ SIMPLEQ_HEAD(, _rnd_sample_t) rnd_samples;
kmutex_t rnd_mtx;
/*
- * Entropy sinks: usually other generators waiting to be rekeyed.
- *
- * A sink's callback MUST NOT re-add the sink to the list, or
- * list corruption will occur. The list is protected by the
- * rndsink_mtx, which must be released before calling any sink's
- * callback.
- */
-TAILQ_HEAD(, rndsink) rnd_sinks;
-kmutex_t rndsink_mtx;
-
-/*
* Memory pool for sample buffers
*/
static pool_cache_t rnd_mempc;
@@ -242,7 +232,7 @@ rnd_schedule_wakeup(void)
/*
* Tell any sources with "feed me" callbacks that we are hungry.
*/
-static void
+void
rnd_getmore(size_t byteswanted)
{
krndsource_t *rs;
@@ -268,85 +258,30 @@ rnd_getmore(size_t byteswanted)
void
rnd_wakeup_readers(void)
{
- rndsink_t *sink, *tsink;
- size_t entropy_count;
- TAILQ_HEAD(, rndsink) sunk = TAILQ_HEAD_INITIALIZER(sunk);
+ /*
+ * XXX This bookkeeping shouldn't be here -- this is not where
+ * the rnd_empty/rnd_initial_entropy state change actually
+ * happens.
+ */
mutex_spin_enter(&rndpool_mtx);
- entropy_count = rndpool_get_entropy_count(&rnd_pool);
+ const size_t entropy_count = rndpool_get_entropy_count(&rnd_pool);
if (entropy_count < RND_ENTROPY_THRESHOLD * 8) {
rnd_empty = 1;
mutex_spin_exit(&rndpool_mtx);
return;
} else {
#ifdef RND_VERBOSE
- if (__predict_false(!rnd_initial_entropy)) {
- printf("rnd: have initial entropy (%u)\n",
- (unsigned int)entropy_count);
- }
+ if (__predict_false(!rnd_initial_entropy))
+ printf("rnd: have initial entropy (%zu)\n",
+ entropy_count);
#endif
rnd_empty = 0;
rnd_initial_entropy = 1;
}
-
- /*
- * First, take care of consumers needing rekeying.
- */
- mutex_spin_enter(&rndsink_mtx);
- TAILQ_FOREACH_SAFE(sink, &rnd_sinks, tailq, tsink) {
- if (!mutex_tryenter(&sink->mtx)) {
-#ifdef RND_VERBOSE
- printf("rnd_wakeup_readers: "
- "skipping busy rndsink\n");
-#endif
- continue;
- }
-
- KASSERT(RSTATE_PENDING == sink->state);
-
- if (sink->len * 8 < rndpool_get_entropy_count(&rnd_pool)) {
- /* We have enough entropy to sink some here. */
- if (rndpool_extract_data(&rnd_pool, sink->data,
- sink->len, RND_EXTRACT_GOOD)
- != sink->len) {
- panic("could not extract estimated "
- "entropy from pool");
- }
- sink->state = RSTATE_HASBITS;
- /* Move this sink to the list of pending callbacks */
- TAILQ_REMOVE(&rnd_sinks, sink, tailq);
- TAILQ_INSERT_HEAD(&sunk, sink, tailq);
- } else {
-#ifdef RND_VERBOSE
- printf("sink wants %d, we have %d, asking for more\n",
- (int)sink->len * 8,
- (int)rndpool_get_entropy_count(&rnd_pool));
-#endif
- mutex_spin_exit(&sink->mtx);
- rnd_getmore(sink->len * 8);
- }
- }
- mutex_spin_exit(&rndsink_mtx);
mutex_spin_exit(&rndpool_mtx);
- /*
- * Now that we have dropped the mutexes, we can run sinks' callbacks.
- * Since we have reused the "tailq" member of the sink structure for
- * this temporary on-stack queue, the callback must NEVER re-add
- * the sink to the main queue, or our on-stack queue will become
- * corrupt.
- */
- while ((sink = TAILQ_FIRST(&sunk))) {
-#ifdef RND_VERBOSE
- printf("supplying %d bytes to entropy sink \"%s\""
- " (cb %p, arg %p).\n",
- (int)sink->len, sink->name, sink->cb, sink->arg);
-#endif
- sink->state = RSTATE_HASBITS;
- sink->cb(sink->arg);
- TAILQ_REMOVE(&sunk, sink, tailq);
- mutex_spin_exit(&sink->mtx);
- }
+ rndsinks_distribute();
}
/*
@@ -447,7 +382,7 @@ rnd_init(void)
return;
mutex_init(&rnd_mtx, MUTEX_DEFAULT, IPL_VM);
- mutex_init(&rndsink_mtx, MUTEX_DEFAULT, IPL_VM);
+ rndsinks_init();
/*
* take a counter early, hoping that there's some variance in
@@ -457,7 +392,6 @@ rnd_init(void)
LIST_INIT(&rnd_sources);
SIMPLEQ_INIT(&rnd_samples);
- TAILQ_INIT(&rnd_sinks);
rndpool_init(&rnd_pool);
mutex_init(&rndpool_mtx, MUTEX_DEFAULT, IPL_VM);
@@ -902,7 +836,6 @@ rnd_process_events(void)
SIMPLEQ_HEAD_INITIALIZER(dq_samples);
SIMPLEQ_HEAD(, _rnd_sample_t) df_samples =
SIMPLEQ_HEAD_INITIALIZER(df_samples);
- TAILQ_HEAD(, rndsink) sunk = TAILQ_HEAD_INITIALIZER(sunk);
/*
* Sample queue is protected by rnd_mtx, drain to onstack queue
@@ -1113,42 +1046,6 @@ rnd_extract_data(void *p, u_int32_t len, u_int32_t flags)
}
void
-rndsink_attach(rndsink_t *rs)
-{
-#ifdef RND_VERBOSE
- printf("rnd: entropy sink \"%s\" wants %d bytes of data.\n",
- rs->name, (int)rs->len);
-#endif
-
- KASSERT(mutex_owned(&rs->mtx));
- KASSERT(rs->state = RSTATE_PENDING);
-
- mutex_spin_enter(&rndsink_mtx);
- TAILQ_INSERT_TAIL(&rnd_sinks, rs, tailq);
- mutex_spin_exit(&rndsink_mtx);
-
- rnd_schedule_process();
-}
-
-void
-rndsink_detach(rndsink_t *rs)
-{
- rndsink_t *sink, *tsink;
-#ifdef RND_VERBOSE
- printf("rnd: entropy sink \"%s\" no longer wants data.\n", rs->name);
-#endif
- KASSERT(mutex_owned(&rs->mtx));
-
- mutex_spin_enter(&rndsink_mtx);
- TAILQ_FOREACH_SAFE(sink, &rnd_sinks, tailq, tsink) {
- if (sink == rs) {
- TAILQ_REMOVE(&rnd_sinks, rs, tailq);
- }
- }
- mutex_spin_exit(&rndsink_mtx);
-}
-
-void
rnd_seed(void *base, size_t len)
{
SHA1_CTX s;
diff --git a/sys/kern/kern_rndsink.c b/sys/kern/kern_rndsink.c
new file mode 100644
index 0000000..b6490f6
--- /dev/null
+++ b/sys/kern/kern_rndsink.c
@@ -0,0 +1,272 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2013 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Taylor R. Campbell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD$");
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/condvar.h>
+#include <sys/kmem.h>
+#include <sys/mutex.h>
+#include <sys/queue.h>
+#include <sys/rnd.h>
+#include <sys/rndsink.h>
+
+#include <dev/rnd_private.h> /* XXX provisional, for rnd_extract_data */
+
+struct rndsink {
+ TAILQ_ENTRY(rndsink) rsink_entry;
+ bool rsink_queued;
+ bool rsink_inflight;
+ kcondvar_t rsink_cv;
+ unsigned int rsink_bytes;
+ rndsink_callback_t *rsink_callback;
+ void *rsink_arg;
+};
+
+static kmutex_t rndsinks_lock __cacheline_aligned;
+static TAILQ_HEAD(, rndsink) rndsinks = TAILQ_HEAD_INITIALIZER(rndsinks);
+
+void
+rndsinks_init(void)
+{
+
+ /*
+ * This mutex must be at an ipl as high as the highest ipl of
+ * anyone who wants to call rndsink_request.
+ *
+ * XXX Call this IPL_RND, perhaps.
+ */
+ mutex_init(&rndsinks_lock, MUTEX_DEFAULT, IPL_VM);
+}
+
+/*
+ * XXX Provisional -- rndpool_extract and rndpool_maybe_extract should
+ * move into kern_rndpool.c.
+ */
+extern rndpool_t rnd_pool;
+extern kmutex_t rndpool_mtx;
+
+/*
+ * Fill the buffer with as much entropy as we can. Return true if it
+ * has full entropy and false if not.
+ */
+static bool
+rndpool_extract(void *buffer, size_t bytes)
+{
+ const size_t extracted = rnd_extract_data(buffer, bytes,
+ RND_EXTRACT_GOOD);
+
+ if (extracted < bytes) {
+ (void)rnd_extract_data((uint8_t *)buffer + extracted,
+ bytes - extracted, RND_EXTRACT_ANY);
+ mutex_enter(&rndpool_mtx);
+ rnd_getmore(bytes - extracted);
+ mutex_exit(&rndpool_mtx);
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * If we have as much entropy as is requested, fill the buffer with it
+ * and return true. Otherwise, leave the buffer alone and return
+ * false.
+ */
+static bool
+rndpool_maybe_extract(void *buffer, size_t bytes)
+{
+ bool ok;
+
+ KASSERT(bytes <= RNDSINK_MAX_BYTES);
+ CTASSERT(RND_ENTROPY_THRESHOLD <= 0xffffffffUL);
+ CTASSERT(RNDSINK_MAX_BYTES <= (0xffffffffUL - RND_ENTROPY_THRESHOLD));
+ CTASSERT((RNDSINK_MAX_BYTES + RND_ENTROPY_THRESHOLD) <=
+ (0xffffffffUL / NBBY));
+
+ const uint32_t bits_needed = ((bytes + RND_ENTROPY_THRESHOLD) * NBBY);
+
+ mutex_enter(&rndpool_mtx);
+ if (bits_needed <= rndpool_get_entropy_count(&rnd_pool)) {
+ const uint32_t extracted __unused =
+ rndpool_extract_data(&rnd_pool, buffer, bytes,
+ RND_EXTRACT_GOOD);
+
+ KASSERT(extracted == bytes);
+
+ ok = true;
+ } else {
+ ok = false;
+ rnd_getmore(howmany(bits_needed -
+ rndpool_get_entropy_count(&rnd_pool), NBBY));
+ }
+ mutex_exit(&rndpool_mtx);
+
+ return ok;
+}
+
+void
+rndsinks_distribute(void)
+{
+ uint8_t buffer[RNDSINK_MAX_BYTES];
+ struct rndsink *rndsink;
+
+ explicit_bzero(buffer, sizeof(buffer)); /* paranoia */
+
+ mutex_spin_enter(&rndsinks_lock);
+ while ((rndsink = TAILQ_FIRST(&rndsinks)) != NULL) {
+ KASSERT(rndsink->rsink_queued);
+
+ /* Bail if we can't get some entropy for this rndsink. */
+ if (!rndpool_maybe_extract(buffer, rndsink->rsink_bytes))
+ break;
+
+ /*
+ * Got some entropy. Take the sink off the queue and
+ * feed the entropy to the callback, with rndsinks_lock
+ * dropped. While running the callback, lock out
+ * rndsink_destroy by marking the sink in flight.
+ */
+ TAILQ_REMOVE(&rndsinks, rndsink, rsink_entry);
+ rndsink->rsink_queued = false;
+ rndsink->rsink_inflight = true;
+ mutex_spin_exit(&rndsinks_lock);
+
+ (*rndsink->rsink_callback)(rndsink->rsink_arg, buffer,
+ rndsink->rsink_bytes);
+ explicit_bzero(buffer, rndsink->rsink_bytes);
+
+ mutex_spin_enter(&rndsinks_lock);
+ }
+ mutex_spin_exit(&rndsinks_lock);
+
+ explicit_bzero(buffer, sizeof(buffer)); /* paranoia */
+}
+
+static void
+rndsinks_enqueue(struct rndsink *rndsink)
+{
+
+ KASSERT(mutex_owned(&rndsinks_lock));
+
+ /* XXX Kick any on-demand entropy sources too. */
+
+ /* Are already queued, or is the callback still doing its work? */
+ if (rndsink->rsink_queued || rndsink->rsink_inflight)
+ return;
+
+ /* No: queue us up for entropy when it is next available. */
+ TAILQ_INSERT_TAIL(&rndsinks, rndsink, rsink_entry);
+ rndsink->rsink_queued = true;
+}
+
+struct rndsink *
+rndsink_create(size_t bytes, rndsink_callback_t *callback, void *arg)
+{
+ struct rndsink *const rndsink = kmem_alloc(sizeof(*rndsink), KM_SLEEP);
+
+ KASSERT(bytes <= RNDSINK_MAX_BYTES);
+
+ rndsink->rsink_queued = false;
+ rndsink->rsink_inflight = false;
+ cv_init(&rndsink->rsink_cv, "rndsink");
+ rndsink->rsink_bytes = bytes;
+ rndsink->rsink_callback = callback;
+ rndsink->rsink_arg = arg;
+
+ return rndsink;
+}
+
+void
+rndsink_destroy(struct rndsink *rndsink)
+{
+
+ /*
+ * If it's in flight, wait for the callback to complete. Then
+ * make sure the rndsink is off the queue so nobody will start
+ * new callbacks. Caller must guarantee no future calls to
+ * rndsink_request or rndsink_schedule for this rndsink.
+ */
+ mutex_spin_enter(&rndsinks_lock);
+ while (rndsink->rsink_inflight)
+ cv_wait(&rndsink->rsink_cv, &rndsinks_lock);
+ if (rndsink->rsink_queued) {
+ TAILQ_REMOVE(&rndsinks, rndsink, rsink_entry);
+ rndsink->rsink_queued = false;
+ }
+ KASSERT(!rndsink->rsink_queued);
+ KASSERT(!rndsink->rsink_inflight);
+ mutex_spin_exit(&rndsinks_lock);
+
+ cv_destroy(&rndsink->rsink_cv);
+
+ kmem_free(rndsink, sizeof(*rndsink));
+}
+
+void
+rndsink_schedule(struct rndsink *rndsink)
+{
+
+ /* Optimistically check without the lock whether we're queued. */
+ if (!rndsink->rsink_queued) {
+ mutex_spin_enter(&rndsinks_lock);
+ rndsinks_enqueue(rndsink);
+ mutex_spin_exit(&rndsinks_lock);
+ }
+}
+
+bool
+rndsink_request(struct rndsink *rndsink, void *buffer, size_t bytes)
+{
+
+ KASSERT(bytes == rndsink->rsink_bytes);
+
+ mutex_spin_enter(&rndsinks_lock);
+ const bool full_entropy = rndpool_extract(buffer, bytes);
+ if (!full_entropy)
+ rndsinks_enqueue(rndsink);
+ mutex_spin_exit(&rndsinks_lock);
+
+ return full_entropy;
+}
+
+void
+rndsink_commit(struct rndsink *rndsink)
+{
+
+ mutex_spin_enter(&rndsinks_lock);
+ KASSERT(rndsink->rsink_inflight);
+ rndsink->rsink_inflight = false;
+ cv_broadcast(&rndsink->rsink_cv);
+ mutex_spin_exit(&rndsinks_lock);
+}
diff --git a/sys/kern/subr_cprng.c b/sys/kern/subr_cprng.c
index 3889327..efedd56 100644
--- a/sys/kern/subr_cprng.c
+++ b/sys/kern/subr_cprng.c
@@ -1,11 +1,11 @@
/* $NetBSD: subr_cprng.c,v 1.17 2013/06/13 00:55:01 tls Exp $ */
/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
+ * by Thor Lancelot Simon and Taylor R. Campbell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,25 +29,43 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.17 2013/06/13 00:55:01 tls Exp
$");
+
+#include <sys/param.h>
#include <sys/types.h>
#include <sys/atomic.h>
-#include <sys/time.h>
-#include <sys/param.h>
+#include <sys/condvar.h>
+#include <sys/cprng.h>
+#include <sys/errno.h>
+#include <sys/event.h> /* XXX struct knote */
+#include <sys/fcntl.h> /* XXX FNONBLOCK */
#include <sys/kernel.h>
-#include <sys/systm.h>
#include <sys/kmem.h>
-#include <sys/mutex.h>
-#include <sys/rngtest.h>
+#include <sys/poll.h> /* XXX POLLIN/POLLOUT/&c. */
+#include <sys/select.h>
+#include <sys/systm.h>
#include <sys/rnd.h>
-#include <dev/rnd_private.h>
+#include <sys/rndsink.h>
+#if DEBUG
+#include <sys/rngtest.h>
+#endif
+
+#include <crypto/nist_ctr_drbg/nist_ctr_drbg.h>
#if defined(__HAVE_CPU_COUNTER)
#include <machine/cpu_counter.h>
#endif
-#include <sys/cprng.h>
+static void cprng_strong_generate(struct cprng_strong *, void *, size_t);
+static void cprng_strong_reseed(struct cprng_strong *);
+static void cprng_strong_reseed_from(struct cprng_strong *, const void *,
+ size_t, bool);
+#if DEBUG
+static void cprng_strong_rngtest(struct cprng_strong *);
+#endif
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.17 2013/06/13 00:55:01 tls Exp
$");
+static rndsink_callback_t cprng_strong_rndsink_callback;
void
cprng_init(void)
@@ -73,343 +91,379 @@ cprng_counter(void)
return (tv.tv_sec * 1000000 + tv.tv_usec);
}
-static void
-cprng_strong_doreseed(cprng_strong_t *const c)
+struct cprng_strong {
+ char cs_name[16];
+ int cs_flags;
+ kmutex_t cs_lock;
+ kcondvar_t cs_cv;
+ struct selinfo cs_selq;
+ struct rndsink *cs_rndsink;
+ bool cs_ready;
+ NIST_CTR_DRBG cs_drbg;
+};
+
+struct cprng_strong *
+cprng_strong_create(const char *name, int ipl, int flags)
{
- uint32_t cc = cprng_counter();
+ const uint32_t cc = cprng_counter();
+ struct cprng_strong *const cprng = kmem_alloc(sizeof(*cprng),
+ KM_SLEEP);
- KASSERT(mutex_owned(&c->mtx));
- KASSERT(mutex_owned(&c->reseed.mtx));
- KASSERT(c->reseed.len == NIST_BLOCK_KEYLEN_BYTES);
+ /*
+ * rndsink_request takes a spin lock at IPL_VM, so we can be no
+ * higher than that.
+ */
+ KASSERT(ipl <= IPL_VM);
+
+ /* Initialize the easy fields. */
+ (void)strlcpy(cprng->cs_name, name, sizeof(cprng->cs_name));
+ cprng->cs_flags = flags;
+ mutex_init(&cprng->cs_lock, MUTEX_DEFAULT, ipl);
+ cv_init(&cprng->cs_cv, cprng->cs_name);
+ selinit(&cprng->cs_selq);
+ cprng->cs_rndsink = rndsink_create(NIST_BLOCK_KEYLEN_BYTES,
+ &cprng_strong_rndsink_callback, cprng);
+
+ /* Get some initial entropy. Record whether it is full entropy. */
+ uint8_t seed[NIST_BLOCK_KEYLEN_BYTES];
+ cprng->cs_ready = rndsink_request(cprng->cs_rndsink, seed,
+ sizeof(seed));
+ if (nist_ctr_drbg_instantiate(&cprng->cs_drbg, seed, sizeof(seed),
+ &cc, sizeof(cc), cprng->cs_name, sizeof(cprng->cs_name)))
+ /* XXX Fix nist_ctr_drbg API so this can't happen. */
+ panic("cprng %s: NIST CTR_DRBG instantiation failed",
+ cprng->cs_name);
+ explicit_bzero(seed, sizeof(seed));
+
+ if (!cprng->cs_ready && !ISSET(flags, CPRNG_INIT_ANY))
+ printf("cprng %s: creating with partial entropy\n",
+ cprng->cs_name);
+
+ return cprng;
+}
- if (nist_ctr_drbg_reseed(&c->drbg, c->reseed.data, c->reseed.len,
- &cc, sizeof(cc))) {
- panic("cprng %s: nist_ctr_drbg_reseed failed.", c->name);
- }
- memset(c->reseed.data, 0, c->reseed.len);
+void
+cprng_strong_destroy(struct cprng_strong *cprng)
+{
-#ifdef RND_VERBOSE
- printf("cprng %s: reseeded with rnd_filled = %d\n", c->name,
- rnd_filled);
+ /*
+ * Destroy the rndsink first to prevent calls to the callback.
+ */
+ rndsink_destroy(cprng->cs_rndsink);
+
+ KASSERT(!cv_has_waiters(&cprng->cs_cv));
+#if 0
+ KASSERT(!select_has_waiters(&cprng->cs_selq)) /* XXX ? */
#endif
- c->entropy_serial = rnd_filled;
- c->reseed.state = RSTATE_IDLE;
- if (c->flags & CPRNG_USE_CV) {
- cv_broadcast(&c->cv);
- }
- selnotify(&c->selq, 0, 0);
+
+ nist_ctr_drbg_destroy(&cprng->cs_drbg);
+ seldestroy(&cprng->cs_selq);
+ cv_destroy(&cprng->cs_cv);
+ mutex_destroy(&cprng->cs_lock);
+
+ explicit_bzero(cprng, sizeof(*cprng)); /* paranoia */
+ kmem_free(cprng, sizeof(*cprng));
}
-static void
-cprng_strong_sched_reseed(cprng_strong_t *const c)
+/*
+ * Generate some data from cprng. Block or return zero bytes,
+ * depending on flags & FNONBLOCK, if cprng was created without
+ * CPRNG_REKEY_ANY.
+ */
+size_t
+cprng_strong(struct cprng_strong *cprng, void *buffer, size_t bytes, int flags)
{
- KASSERT(mutex_owned(&c->mtx));
- if (mutex_tryenter(&c->reseed.mtx)) {
- switch (c->reseed.state) {
- case RSTATE_IDLE:
- c->reseed.state = RSTATE_PENDING;
- c->reseed.len = NIST_BLOCK_KEYLEN_BYTES;
- rndsink_attach(&c->reseed);
- break;
- case RSTATE_HASBITS:
- /* Just rekey the underlying generator now. */
- cprng_strong_doreseed(c);
- break;
- case RSTATE_PENDING:
- if (c->entropy_serial != rnd_filled) {
- rndsink_detach(&c->reseed);
- rndsink_attach(&c->reseed);
+ size_t result;
+
+ /* Caller must loop for more than CPRNG_MAX_LEN bytes. */
+ bytes = MIN(bytes, CPRNG_MAX_LEN);
+
+ mutex_enter(&cprng->cs_lock);
+
+ if (ISSET(cprng->cs_flags, CPRNG_REKEY_ANY)) {
+ if (!cprng->cs_ready)
+ cprng_strong_reseed(cprng);
+ } else {
+ while (!cprng->cs_ready) {
+ if (ISSET(flags, FNONBLOCK) ||
+ !ISSET(cprng->cs_flags, CPRNG_USE_CV) ||
+ cv_wait_sig(&cprng->cs_cv, &cprng->cs_lock)) {
+ result = 0;
+ goto out;
}
- break;
- default:
- panic("cprng %s: bad reseed state %d",
- c->name, c->reseed.state);
- break;
}
- mutex_spin_exit(&c->reseed.mtx);
}
-#ifdef RND_VERBOSE
- else {
- printf("cprng %s: skipping sched_reseed, sink busy\n",
- c->name);
+
+ cprng_strong_generate(cprng, buffer, bytes);
+ result = bytes;
+
+out: mutex_exit(&cprng->cs_lock);
+ return result;
+}
+
+static void filt_cprng_detach(struct knote *);
+static int filt_cprng_event(struct knote *, long);
+
+static const struct filterops cprng_filtops =
+ { 1, NULL, filt_cprng_detach, filt_cprng_event };
+
+int
+cprng_strong_kqfilter(struct cprng_strong *cprng, struct knote *kn)
+{
+
+ switch (kn->kn_filter) {
+ case EVFILT_READ:
+ kn->kn_fop = &cprng_filtops;
+ kn->kn_hook = cprng;
+ mutex_enter(&cprng->cs_lock);
+ SLIST_INSERT_HEAD(&cprng->cs_selq.sel_klist, kn, kn_selnext);
+ mutex_exit(&cprng->cs_lock);
+ return 0;
+
+ case EVFILT_WRITE:
+ default:
+ return EINVAL;
}
-#endif
}
static void
-cprng_strong_reseed(void *const arg)
+filt_cprng_detach(struct knote *kn)
{
- cprng_strong_t *c = arg;
+ struct cprng_strong *const cprng = kn->kn_hook;
- KASSERT(mutex_owned(&c->reseed.mtx));
- KASSERT(RSTATE_HASBITS == c->reseed.state);
+ mutex_enter(&cprng->cs_lock);
+ SLIST_REMOVE(&cprng->cs_selq.sel_klist, kn, knote, kn_selnext);
+ mutex_exit(&cprng->cs_lock);
+}
- if (!mutex_tryenter(&c->mtx)) {
-#ifdef RND_VERBOSE
- printf("cprng: sink %s cprng busy, no reseed\n", c->reseed.name);
-#endif
- if (c->flags & CPRNG_USE_CV) { /* XXX if flags change? */
- cv_broadcast(&c->cv);
- }
- return;
+static int
+filt_cprng_event(struct knote *kn, long hint)
+{
+ struct cprng_strong *const cprng = kn->kn_hook;
+ int ret;
+
+ if (hint == NOTE_SUBMIT)
+ KASSERT(mutex_owned(&cprng->cs_lock));
+ else
+ mutex_enter(&cprng->cs_lock);
+ if (cprng->cs_ready) {
+ kn->kn_data = CPRNG_MAX_LEN; /* XXX Too large? */
+ ret = 1;
+ } else {
+ ret = 0;
}
+ if (hint == NOTE_SUBMIT)
+ KASSERT(mutex_owned(&cprng->cs_lock));
+ else
+ mutex_exit(&cprng->cs_lock);
- cprng_strong_doreseed(c);
- mutex_exit(&c->mtx);
+ return ret;
}
-static size_t
-cprng_entropy_try(uint8_t *key, size_t keylen)
+int
+cprng_strong_poll(struct cprng_strong *cprng, int events)
{
- int r;
- r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
- if (r != keylen) { /* Always fill in, for safety */
- rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
+ int revents;
+
+ if (!ISSET(events, (POLLIN | POLLRDNORM)))
+ return 0;
+
+ mutex_enter(&cprng->cs_lock);
+ if (cprng->cs_ready) {
+ revents = (events & (POLLIN | POLLRDNORM));
+ } else {
+ selrecord(curlwp, &cprng->cs_selq);
+ revents = 0;
}
- return r;
+ mutex_exit(&cprng->cs_lock);
+
+ return revents;
}
-cprng_strong_t *
-cprng_strong_create(const char *const name, int ipl, int flags)
+/*
+ * XXX Kludge for the current /dev/random implementation.
+ */
+void
+cprng_strong_deplete(struct cprng_strong *cprng)
{
- cprng_strong_t *c;
- uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
- int r, getmore = 0, hard = 0;
- uint32_t cc;
-
- c = kmem_alloc(sizeof(*c), KM_NOSLEEP);
- if (c == NULL) {
- return NULL;
- }
- c->flags = flags;
- strlcpy(c->name, name, sizeof(c->name));
- c->reseed.state = RSTATE_IDLE;
- c->reseed.cb = cprng_strong_reseed;
- c->reseed.arg = c;
- c->entropy_serial = rnd_initial_entropy ? rnd_filled : -1;
- mutex_init(&c->reseed.mtx, MUTEX_DEFAULT, IPL_VM);
- strlcpy(c->reseed.name, name, sizeof(c->reseed.name));
-
- mutex_init(&c->mtx, MUTEX_DEFAULT, ipl);
-
- if (c->flags & CPRNG_USE_CV) {
- cv_init(&c->cv, (const char *)c->name);
- }
- selinit(&c->selq);
-
- r = cprng_entropy_try(key, sizeof(key));
- if (r != sizeof(key)) {
- if (c->flags & CPRNG_INIT_ANY) {
-#ifdef DEBUG
- /*
- * If we have ever crossed the pool's
- * minimum-entropy threshold, then we are
- * providing cryptographically strong
- * random output -- if not information-
- * theoretically strong. Warn elsewise.
- */
- if (!rnd_initial_entropy) {
- printf("cprng %s: WARNING insufficient "
- "entropy at creation.\n", name);
- }
-#endif
- } else {
- hard++;
- }
- getmore++;
- }
-
- if (nist_ctr_drbg_instantiate(&c->drbg, key, sizeof(key),
- &cc, sizeof(cc), name, strlen(name))) {
- panic("cprng %s: instantiation failed.", name);
- }
+ mutex_enter(&cprng->cs_lock);
+ cprng->cs_ready = false;
+ rndsink_schedule(cprng->cs_rndsink);
+ mutex_exit(&cprng->cs_lock);
+}
- if (getmore) {
- /* Cause readers to wait for rekeying. */
- if (hard) {
- c->drbg.reseed_counter =
- NIST_CTR_DRBG_RESEED_INTERVAL + 1;
- } else {
- c->drbg.reseed_counter =
- (NIST_CTR_DRBG_RESEED_INTERVAL / 2) + 1;
- }
- }
- return c;
+/*
+ * XXX Move nist_ctr_drbg_reseed_advised_p and
+ * nist_ctr_drbg_reseed_needed_p into the nist_ctr_drbg API and make
+ * the NIST_CTR_DRBG structure opaque.
+ */
+static bool
+nist_ctr_drbg_reseed_advised_p(NIST_CTR_DRBG *drbg)
+{
+
+ return (drbg->reseed_counter > (NIST_CTR_DRBG_RESEED_INTERVAL / 2));
}
-size_t
-cprng_strong(cprng_strong_t *const c, void *const p, size_t len, int flags)
+static bool
+nist_ctr_drbg_reseed_needed_p(NIST_CTR_DRBG *drbg)
{
- uint32_t cc = cprng_counter();
-#ifdef DEBUG
- int testfail = 0;
-#endif
- if (len > CPRNG_MAX_LEN) { /* XXX should we loop? */
- len = CPRNG_MAX_LEN; /* let the caller loop if desired */
- }
- mutex_enter(&c->mtx);
- /* If we were initialized with the pool empty, rekey ASAP */
- if (__predict_false(c->entropy_serial == -1) && rnd_initial_entropy) {
- c->entropy_serial = 0;
- goto rekeyany; /* We have _some_ entropy, use it. */
- }
-
- if (nist_ctr_drbg_generate(&c->drbg, p, len, &cc, sizeof(cc))) {
- /* A generator failure really means we hit the hard limit. */
-rekeyany:
- if (c->flags & CPRNG_REKEY_ANY) {
- uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
-
- if (cprng_entropy_try(key, sizeof(key)) !=
- sizeof(key)) {
- printf("cprng %s: WARNING "
- "pseudorandom rekeying.\n", c->name);
- }
- cc = cprng_counter();
- if (nist_ctr_drbg_reseed(&c->drbg, key, sizeof(key),
- &cc, sizeof(cc))) {
- panic("cprng %s: nist_ctr_drbg_reseed "
- "failed.", c->name);
- }
- memset(key, 0, sizeof(key));
- } else {
- int wr;
-
- do {
- cprng_strong_sched_reseed(c);
- if ((flags & FNONBLOCK) ||
- !(c->flags & CPRNG_USE_CV)) {
- len = 0;
- break;
- }
- /*
- * XXX There's a race with the cv_broadcast
- * XXX in cprng_strong_sched_reseed, because
- * XXX of the use of tryenter in that function.
- * XXX This "timedwait" hack works around it,
- * XXX at the expense of occasionaly polling
- * XXX for success on a /dev/random rekey.
- */
- wr = cv_timedwait_sig(&c->cv, &c->mtx,
- mstohz(100));
- if (wr == ERESTART) {
- mutex_exit(&c->mtx);
- return 0;
- }
- } while (nist_ctr_drbg_generate(&c->drbg, p,
- len, &cc,
- sizeof(cc)));
- }
- }
+ return (drbg->reseed_counter >= NIST_CTR_DRBG_RESEED_INTERVAL);
+}
+
+/*
+ * Generate some data from the underlying generator.
+ */
+static void
+cprng_strong_generate(struct cprng_strong *cprng, void *buffer,
+ size_t bytes)
+{
+ const uint32_t cc = cprng_counter();
+
+ KASSERT(bytes <= CPRNG_MAX_LEN);
+ KASSERT(mutex_owned(&cprng->cs_lock));
-#ifdef DEBUG
/*
- * If the generator has just been keyed, perform
- * the statistical RNG test.
+ * Generate some data from the NIST CTR_DRBG. Caller
+ * guarantees reseed if we're not ready, and if we exhaust the
+ * generator, we mark ourselves not ready. Consequently, this
+ * call to the CTR_DRBG should not fail.
*/
- if (__predict_false(c->drbg.reseed_counter == 1) &&
- (flags & FASYNC) == 0) {
- rngtest_t *rt = kmem_intr_alloc(sizeof(*rt), KM_NOSLEEP);
-
- if (rt) {
+ if (__predict_false(nist_ctr_drbg_generate(&cprng->cs_drbg, buffer,
+ bytes, &cc, sizeof(cc))))
+ panic("cprng %s: NIST CTR_DRBG failed", cprng->cs_name);
- strncpy(rt->rt_name, c->name, sizeof(rt->rt_name));
+ /*
+ * If we've been seeing a lot of use, ask for some fresh
+ * entropy soon.
+ */
+ if (__predict_false(nist_ctr_drbg_reseed_advised_p(&cprng->cs_drbg)))
+ rndsink_schedule(cprng->cs_rndsink);
- if (nist_ctr_drbg_generate(&c->drbg, rt->rt_b,
- sizeof(rt->rt_b), NULL, 0)) {
- panic("cprng %s: nist_ctr_drbg_generate "
- "failed!", c->name);
-
- }
- testfail = rngtest(rt);
-
- if (testfail) {
- printf("cprng %s: failed statistical RNG "
- "test.\n", c->name);
- c->drbg.reseed_counter =
- NIST_CTR_DRBG_RESEED_INTERVAL + 1;
- len = 0;
- }
- memset(rt, 0, sizeof(*rt));
- kmem_intr_free(rt, sizeof(*rt));
- }
- }
-#endif
- if (__predict_false(c->drbg.reseed_counter >
- (NIST_CTR_DRBG_RESEED_INTERVAL / 2))) {
- cprng_strong_sched_reseed(c);
- } else if (rnd_full) {
- if (c->entropy_serial != rnd_filled) {
-#ifdef RND_VERBOSE
- printf("cprng %s: reseeding from full pool "
- "(serial %d vs pool %d)\n", c->name,
- c->entropy_serial, rnd_filled);
-#endif
- cprng_strong_sched_reseed(c);
- }
+ /*
+ * If we just exhausted the generator, inform the next user
+ * that we need a reseed.
+ *
+ * XXX For /dev/random CPRNGs, the criterion is supposed to be
+ * `Has this seeding generated 32 bytes?'.
+ */
+ if (__predict_false(nist_ctr_drbg_reseed_needed_p(&cprng->cs_drbg))) {
+ cprng->cs_ready = false;
+ rndsink_schedule(cprng->cs_rndsink); /* paranoia */
}
+}
+
+/*
+ * Reseed with whatever we can get from the system entropy pool right now.
+ */
+static void
+cprng_strong_reseed(struct cprng_strong *cprng)
+{
+ uint8_t seed[NIST_BLOCK_KEYLEN_BYTES];
- mutex_exit(&c->mtx);
- return len;
+ KASSERT(mutex_owned(&cprng->cs_lock));
+
+ const bool full_entropy = rndsink_request(cprng->cs_rndsink, seed,
+ sizeof(seed));
+ cprng_strong_reseed_from(cprng, seed, sizeof(seed), full_entropy);
+ explicit_bzero(seed, sizeof(seed));
}
-void
-cprng_strong_destroy(cprng_strong_t *c)
+/*
+ * Reseed with the given seed. If we now have full entropy, notify waiters.
+ */
+static void
+cprng_strong_reseed_from(struct cprng_strong *cprng,
+ const void *seed, size_t bytes, bool full_entropy)
{
- mutex_enter(&c->mtx);
- mutex_spin_enter(&c->reseed.mtx);
+ const uint32_t cc = cprng_counter();
- if (c->flags & CPRNG_USE_CV) {
- KASSERT(!cv_has_waiters(&c->cv));
- cv_destroy(&c->cv);
- }
- seldestroy(&c->selq);
+ KASSERT(bytes == NIST_BLOCK_KEYLEN_BYTES);
+ KASSERT(mutex_owned(&cprng->cs_lock));
- if (RSTATE_PENDING == c->reseed.state) {
- rndsink_detach(&c->reseed);
+ /*
+ * Notify anyone interested in the partiality of entropy in our
+ * seed -- anyone waiting for full entropy, or any system
+ * operators interested in knowing when the entropy pool is
+ * running on fumes.
+ */
+ if (full_entropy) {
+ if (!cprng->cs_ready) {
+ cprng->cs_ready = true;
+ cv_broadcast(&cprng->cs_cv);
+ selnotify(&cprng->cs_selq, (POLLIN | POLLRDNORM),
+ NOTE_SUBMIT);
+ }
+ } else {
+ /*
+ * XXX Is there is any harm in reseeding with partial
+ * entropy when we had full entropy before? If so,
+ * remove the conditional on this message.
+ */
+ if (!cprng->cs_ready &&
+ !ISSET(cprng->cs_flags, CPRNG_REKEY_ANY))
+ printf("cprng %s: reseeding with partial entropy\n",
+ cprng->cs_name);
}
- mutex_spin_exit(&c->reseed.mtx);
- mutex_destroy(&c->reseed.mtx);
- nist_ctr_drbg_destroy(&c->drbg);
+ if (nist_ctr_drbg_reseed(&cprng->cs_drbg, seed, bytes, &cc, sizeof(cc)))
+ /* XXX Fix nist_ctr_drbg API so this can't happen. */
+ panic("cprng %s: NIST CTR_DRBG reseed failed", cprng->cs_name);
- mutex_exit(&c->mtx);
- mutex_destroy(&c->mtx);
-
- memset(c, 0, sizeof(*c));
- kmem_free(c, sizeof(*c));
+#if DEBUG
+ cprng_strong_rngtest(cprng);
+#endif
}
-int
-cprng_strong_getflags(cprng_strong_t *const c)
+#if DEBUG
+/*
+ * Generate some output and apply a statistical RNG test to it.
+ */
+static void
+cprng_strong_rngtest(struct cprng_strong *cprng)
{
- KASSERT(mutex_owned(&c->mtx));
- return c->flags;
+
+ KASSERT(mutex_owned(&cprng->cs_lock));
+
+ /* XXX Switch to a pool cache instead? */
+ rngtest_t *const rt = kmem_intr_alloc(sizeof(*rt), KM_NOSLEEP);
+ if (rt == NULL)
+ /* XXX Warn? */
+ return;
+
+ (void)strlcpy(rt->rt_name, cprng->cs_name, sizeof(rt->rt_name));
+
+ if (nist_ctr_drbg_generate(&cprng->cs_drbg, rt->rt_b, sizeof(rt->rt_b),
+ NULL, 0))
+ panic("cprng %s: NIST CTR_DRBG failed after reseed",
+ cprng->cs_name);
+
+ if (rngtest(rt)) {
+ printf("cprng %s: failed statistical RNG test\n",
+ cprng->cs_name);
+ /* XXX Not clear that this does any good... */
+ cprng->cs_ready = false;
+ rndsink_schedule(cprng->cs_rndsink);
+ }
+
+ explicit_bzero(rt, sizeof(*rt)); /* paranoia */
+ kmem_intr_free(rt, sizeof(*rt));
}
+#endif
-void
-cprng_strong_setflags(cprng_strong_t *const c, int flags)
+/*
+ * Feed entropy from an rndsink request into the CPRNG for which the
+ * request was issued.
+ */
+static void
+cprng_strong_rndsink_callback(void *context, const void *seed, size_t bytes)
{
- KASSERT(mutex_owned(&c->mtx));
- if (flags & CPRNG_USE_CV) {
- if (!(c->flags & CPRNG_USE_CV)) {
- cv_init(&c->cv, (const char *)c->name);
- }
- } else {
- if (c->flags & CPRNG_USE_CV) {
- KASSERT(!cv_has_waiters(&c->cv));
- cv_destroy(&c->cv);
- }
- }
- if (flags & CPRNG_REKEY_ANY) {
- if (!(c->flags & CPRNG_REKEY_ANY)) {
- if (c->flags & CPRNG_USE_CV) {
- cv_broadcast(&c->cv);
- }
- selnotify(&c->selq, 0, 0);
- }
- }
- c->flags = flags;
+ struct cprng_strong *const cprng = context;
+
+ mutex_enter(&cprng->cs_lock);
+ /* Assume that rndsinks provide only full-entropy output. */
+ cprng_strong_reseed_from(cprng, seed, bytes, true);
+ rndsink_commit(cprng->cs_rndsink);
+ mutex_exit(&cprng->cs_lock);
}
diff --git a/sys/lib/libkern/arc4random.c b/sys/lib/libkern/arc4random.c
index a62f3d9..55a3c8a3 100644
--- a/sys/lib/libkern/arc4random.c
+++ b/sys/lib/libkern/arc4random.c
@@ -43,39 +43,41 @@
#include <sys/cdefs.h>
-#ifdef _KERNEL
-#define NRND 1
-#else
-#define NRND 0
-#endif
-
-#include <sys/types.h>
-#include <sys/time.h>
#include <sys/param.h>
-#ifdef _KERNEL
-#include <sys/kernel.h>
-#endif
+#include <sys/types.h>
+#include <sys/rngtest.h>
#include <sys/systm.h>
+#include <sys/time.h>
-#ifdef _KERNEL
+#ifdef _STANDALONE
+/*
+ * XXX This is a load of bollocks. Standalone has no entropy source.
+ * This module should be removed from libkern once we confirm nobody is
+ * using it.
+ */
+#define time_uptime 1
+typedef struct kmutex *kmutex_t;
+#define MUTEX_DEFAULT 0
+#define IPL_VM 0
+static void mutex_init(kmutex_t *m, int t, int i) {}
+static void mutex_spin_enter(kmutex_t *m) {}
+static void mutex_spin_exit(kmutex_t *m) {}
+typedef void rndsink_callback_t(void *, const void *, size_t);
+struct rndsink;
+static struct rndsink *rndsink_create(size_t n, rndsink_callback_t c, void *a)
+ { return NULL; }
+static bool rndsink_request(struct rndsink *s, void *b, size_t n)
+ { return true; }
+static void rndsink_commit(struct rndsink *s)
+ { return; }
+#else /* !_STANDALONE */
+#include <sys/kernel.h>
#include <sys/mutex.h>
-#include <sys/rngtest.h>
-#else
-#define mutex_spin_enter(x) ;
-#define mutex_spin_exit(x) ;
-#define mutex_init(x, y, z) ;
-#endif
+#include <sys/rndsink.h>
+#endif /* _STANDALONE */
#include <lib/libkern/libkern.h>
-#if NRND > 0
-#include <sys/rnd.h>
-#include <dev/rnd_private.h>
-
-static rndsink_t rs;
-
-#endif
-
/*
* The best known attack that distinguishes RC4 output from a random
* bitstream requires 2^25 bytes. (see Paul and Preneel, Analysis of
@@ -97,9 +99,8 @@ static rndsink_t rs;
#define ARC4_RESEED_SECONDS 300
#define ARC4_KEYBYTES 16 /* 128 bit key */
-#ifdef _STANDALONE
-#define time_uptime 1 /* XXX ugly! */
-#endif /* _STANDALONE */
+static kmutex_t arc4_mtx;
+static struct rndsink *arc4_rndsink;
static u_int8_t arc4_i, arc4_j;
static int arc4_initialized = 0;
@@ -107,10 +108,10 @@ static int arc4_numbytes = 0;
static u_int8_t arc4_sbox[256];
static time_t arc4_nextreseed;
-#ifdef _KERNEL
-kmutex_t arc4_mtx;
-#endif
-
+static rndsink_callback_t arc4_rndsink_callback;
+static void arc4_randrekey(void);
+static void arc4_randrekey_from(const uint8_t[ARC4_KEYBYTES], bool);
+static void arc4_init(void);
static inline u_int8_t arc4_randbyte(void);
static inline void arc4randbytes_unlocked(void *, size_t);
void _arc4randbytes(void *, size_t);
@@ -126,133 +127,76 @@ arc4_swap(u_int8_t *a, u_int8_t *b)
*b = c;
}
+static void
+arc4_rndsink_callback(void *context __unused, const void *seed, size_t bytes)
+{
+
+ KASSERT(bytes == ARC4_KEYBYTES);
+ arc4_randrekey_from(seed, true);
+ rndsink_commit(arc4_rndsink);
+}
+
/*
- * Stir our S-box.
+ * Stir our S-box with whatever we can get from the system entropy pool
+ * now.
*/
static void
-arc4_randrekey(void *arg)
+arc4_randrekey(void)
{
- u_int8_t key[256];
- int n, ask_for_more = 0;
-#ifdef _KERNEL
-#ifdef DIAGNOSTIC
-#if 0 /* XXX rngtest_t is too large and could cause stack overflow */
- rngtest_t rt;
-#endif
-#endif
-#endif
-#if NRND > 0
- static int callback_pending;
- int r;
-#endif
+ uint8_t seed[ARC4_KEYBYTES];
- /*
- * The first time through, we must take what we can get,
- * so schedule ourselves for callback no matter what.
- */
- if (__predict_true(arc4_initialized)) {
- mutex_spin_enter(&arc4_mtx);
- }
-#if NRND > 0 /* XXX without rnd, we will key from the stack, ouch! */
- else {
- ask_for_more = 1;
- r = rnd_extract_data(key, ARC4_KEYBYTES, RND_EXTRACT_ANY);
- goto got_entropy;
- }
+ const bool full_entropy = rndsink_request(arc4_rndsink, seed,
+ sizeof(seed));
+ arc4_randrekey_from(seed, full_entropy);
+ explicit_bzero(seed, sizeof(seed));
+}
- if (arg == NULL) {
- if (callback_pending) {
- if (arc4_numbytes > ARC4_HARDMAX) {
- printf("arc4random: WARNING, hit 2^29 bytes, "
- "forcibly rekeying.\n");
- r = rnd_extract_data(key, ARC4_KEYBYTES,
- RND_EXTRACT_ANY);
- mutex_spin_enter(&rs.mtx);
- rndsink_detach(&rs);
- mutex_spin_exit(&rs.mtx);
- callback_pending = 0;
- goto got_entropy;
- } else {
- mutex_spin_exit(&arc4_mtx);
- return;
- }
- }
- r = rnd_extract_data(key, ARC4_KEYBYTES, RND_EXTRACT_GOOD);
- if (r < ARC4_KEYBYTES) {
- ask_for_more = 1;
- }
- } else {
- ask_for_more = 0;
- callback_pending = 0;
- if (rs.len != ARC4_KEYBYTES) {
- panic("arc4_randrekey: rekey callback bad length");
- }
- memcpy(key, rs.data, rs.len);
- memset(rs.data, 0, rs.len);
- }
+/*
+ * Stir our S-box with what's in seed.
+ */
+static void
+arc4_randrekey_from(const uint8_t seed[ARC4_KEYBYTES], bool full_entropy)
+{
+ uint8_t key[256];
+ size_t n;
+
+ mutex_spin_enter(&arc4_mtx);
+
+ (void)memcpy(key, seed, ARC4_KEYBYTES);
-got_entropy:
-
- if (!ask_for_more) {
- callback_pending = 0;
- } else if (!callback_pending) {
- callback_pending = 1;
- mutex_spin_enter(&rs.mtx);
- strlcpy(rs.name, "arc4random", sizeof(rs.name));
- rs.cb = arc4_randrekey;
- rs.arg = &rs;
- rs.len = ARC4_KEYBYTES;
- rndsink_attach(&rs);
- mutex_spin_exit(&rs.mtx);
+ /* Rekey the arc4 state. */
+ for (n = ARC4_KEYBYTES; n < sizeof(key); n++)
+ key[n] = key[n % ARC4_KEYBYTES];
+
+ for (n = 0; n < 256; n++) {
+ arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
+ arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
}
-#endif
+ arc4_i = arc4_j;
+
+ explicit_bzero(key, sizeof(key));
+
/*
- * If it's the first time, or we got a good key, actually rekey.
+ * Throw away the first N words of output, as suggested in the
+ * paper "Weaknesses in the Key Scheduling Algorithm of RC4" by
+ * Fluher, Mantin, and Shamir. (N = 256 in our case.)
*/
- if (!ask_for_more || !arc4_initialized) {
- for (n = ARC4_KEYBYTES; n < sizeof(key); n++)
- key[n] = key[n % ARC4_KEYBYTES];
-
- for (n = 0; n < 256; n++) {
- arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
- arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
- }
- arc4_i = arc4_j;
-
- memset(key, 0, sizeof(key));
- /*
- * Throw away the first N words of output, as suggested in the
- * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
- * by Fluher, Mantin, and Shamir. (N = 256 in our case.)
- */
- for (n = 0; n < 256 * 4; n++)
- arc4_randbyte();
-
- /* Reset for next reseed cycle. */
- arc4_nextreseed = time_uptime + ARC4_RESEED_SECONDS;
- arc4_numbytes = 0;
-#ifdef _KERNEL
-#ifdef DIAGNOSTIC
-#if 0 /* XXX rngtest_t is too large and could cause stack overflow */
- /*
- * Perform the FIPS 140-2 statistical RNG test; warn if our
- * output has such poor quality as to fail the test.
- */
- arc4randbytes_unlocked(rt.rt_b, sizeof(rt.rt_b));
- strlcpy(rt.rt_name, "arc4random", sizeof(rt.rt_name));
- if (rngtest(&rt)) {
- /* rngtest will scream to the console. */
- arc4_nextreseed = time_uptime;
- arc4_numbytes = ARC4_MAXBYTES;
- /* XXX should keep old context around, *NOT* use new */
- }
-#endif
-#endif
+ for (n = 0; n < 256 * 4; n++)
+ arc4_randbyte();
+
+ /*
+ * Reset for next reseed cycle. If we don't have full entropy,
+ * caller has scheduled a reseed already.
+ */
+ arc4_nextreseed = time_uptime +
+ (full_entropy? ARC4_RESEED_SECONDS : 0);
+ arc4_numbytes = 0;
+
+#if 0 /* XXX */
+ arc4_rngtest();
#endif
- }
- if (__predict_true(arc4_initialized)) {
- mutex_spin_exit(&arc4_mtx);
- }
+
+ mutex_spin_exit(&arc4_mtx);
}
/*
@@ -264,12 +208,14 @@ arc4_init(void)
int n;
mutex_init(&arc4_mtx, MUTEX_DEFAULT, IPL_VM);
- mutex_init(&rs.mtx, MUTEX_DEFAULT, IPL_VM);
+ arc4_rndsink = rndsink_create(ARC4_KEYBYTES, &arc4_rndsink_callback,
+ NULL);
+
arc4_i = arc4_j = 0;
for (n = 0; n < 256; n++)
arc4_sbox[n] = (u_int8_t) n;
- arc4_randrekey(NULL);
+ arc4_randrekey();
arc4_initialized = 1;
}
@@ -317,7 +263,7 @@ _arc4randbytes(void *p, size_t len)
mutex_spin_exit(&arc4_mtx);
if ((arc4_numbytes > ARC4_MAXBYTES) ||
(time_uptime > arc4_nextreseed)) {
- arc4_randrekey(NULL);
+ arc4_randrekey();
}
}
diff --git a/sys/rump/librump/rumpkern/Makefile.rumpkern
b/sys/rump/librump/rumpkern/Makefile.rumpkern
index 313be7e..7601a72 100644
--- a/sys/rump/librump/rumpkern/Makefile.rumpkern
+++ b/sys/rump/librump/rumpkern/Makefile.rumpkern
@@ -79,6 +79,7 @@ SRCS+= init_sysctl_base.c \
kern_resource.c \
kern_rndpool.c \
kern_rndq.c \
+ kern_rndsink.c \
kern_stub.c \
kern_syscall.c \
kern_sysctl.c \
diff --git a/sys/rump/librump/rumpkern/cprng_stub.c
b/sys/rump/librump/rumpkern/cprng_stub.c
index d7004f6..a7fffe6 100644
--- a/sys/rump/librump/rumpkern/cprng_stub.c
+++ b/sys/rump/librump/rumpkern/cprng_stub.c
@@ -29,16 +29,17 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-#include <sys/types.h>
-#include <sys/time.h>
#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/cprng.h>
+#include <sys/event.h>
#include <sys/kernel.h>
-#include <sys/systm.h>
#include <sys/kmem.h>
#include <sys/mutex.h>
+#include <sys/poll.h>
#include <sys/rngtest.h>
-
-#include <sys/cprng.h>
+#include <sys/systm.h>
+#include <sys/time.h>
#include <rump/rumpuser.h>
@@ -60,41 +61,46 @@ cprng_init(void)
}
cprng_strong_t *
-cprng_strong_create(const char *const name, int ipl, int flags)
+cprng_strong_create(const char *const name __unused, int ipl __unused,
+ int flags __unused)
{
- cprng_strong_t *c;
-
- /* zero struct to zero counters we won't ever set with no DRBG */
- c = kmem_zalloc(sizeof(*c), KM_NOSLEEP);
- if (c == NULL) {
- return NULL;
- }
- strlcpy(c->name, name, sizeof(c->name));
- mutex_init(&c->mtx, MUTEX_DEFAULT, ipl);
- if (c->flags & CPRNG_USE_CV) {
- cv_init(&c->cv, name);
- }
- selinit(&c->selq);
- return c;
+ return NULL;
}
-
size_t
-cprng_strong(cprng_strong_t *c, void *p, size_t len, int blocking)
+cprng_strong(cprng_strong_t *c __unused, void *p, size_t len,
+ int blocking __unused)
{
- mutex_enter(&c->mtx);
+ KASSERT(c == NULL);
cprng_fast(p, len); /* XXX! */
- mutex_exit(&c->mtx);
return len;
}
+int
+cprng_strong_kqfilter(cprng_strong_t *c __unused, struct knote *kn __unused)
+{
+ KASSERT(c == NULL);
+ kn->kn_data = CPRNG_MAX_LEN;
+ return 1;
+}
+
+int
+cprng_strong_poll(cprng_strong_t *c __unused, int events)
+{
+ KASSERT(c == NULL);
+ return (events & (POLLIN | POLLRDNORM));
+}
+
+void
+cprng_strong_deplete(struct cprng_strong *c __unused)
+{
+ KASSERT(c == NULL);
+}
+
void
-cprng_strong_destroy(cprng_strong_t *c)
+cprng_strong_destroy(cprng_strong_t *c __unused)
{
- mutex_destroy(&c->mtx);
- cv_destroy(&c->cv);
- memset(c, 0, sizeof(*c));
- kmem_free(c, sizeof(*c));
+ KASSERT(c == NULL);
}
size_t
@@ -103,6 +109,7 @@ cprng_fast(void *p, size_t len)
size_t randlen;
rumpuser_getrandom(p, len, 0, &randlen);
+ KASSERT(randlen == len);
return len;
}
@@ -113,6 +120,7 @@ cprng_fast32(void)
uint32_t ret;
rumpuser_getrandom(&ret, sizeof(ret), 0, &randlen);
+ KASSERT(randlen == sizeof(ret));
return ret;
}
@@ -123,5 +131,6 @@ cprng_fast64(void)
size_t randlen;
rumpuser_getrandom(&ret, sizeof(ret), 0, &randlen);
+ KASSERT(randlen == sizeof(ret));
return ret;
}
diff --git a/sys/sys/cprng.h b/sys/sys/cprng.h
index 269e238..89b3f69 100644
--- a/sys/sys/cprng.h
+++ b/sys/sys/cprng.h
@@ -1,11 +1,11 @@
/* $NetBSD: cprng.h,v 1.6 2012/11/25 15:29:45 christos Exp $ */
/*-
- * Copyright (c) 2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
- * by Thor Lancelot Simon.
+ * by Thor Lancelot Simon and Taylor R. Campbell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,16 +28,19 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
+
+/*
+ * XXX Don't change this to _SYS_CPRNG_H or anything -- code outside
+ * this file relies on its name... (I'm looking at you, ipf!)
+ */
#ifndef _CPRNG_H
#define _CPRNG_H
#include <sys/types.h>
-#include <sys/fcntl.h>
-#include <lib/libkern/libkern.h>
-#include <sys/rnd.h>
+#include <sys/fcntl.h> /* XXX users bogusly transitively need this */
+#include <sys/rnd.h> /* XXX users bogusly transitively need this */
+
#include <crypto/nist_ctr_drbg/nist_ctr_drbg.h>
-#include <sys/condvar.h>
-#include <sys/select.h>
/*
* NIST SP800-90 says 2^19 bytes per request for the CTR_DRBG.
@@ -77,17 +80,9 @@ uint32_t cprng_fast32(void);
uint64_t cprng_fast64(void);
#endif
-typedef struct _cprng_strong {
- kmutex_t mtx;
- kcondvar_t cv;
- struct selinfo selq;
- NIST_CTR_DRBG drbg;
- int flags;
- char name[16];
- int reseed_pending;
- int entropy_serial;
- rndsink_t reseed;
-} cprng_strong_t;
+typedef struct cprng_strong cprng_strong_t;
+
+void cprng_init(void);
#define CPRNG_INIT_ANY 0x00000001
#define CPRNG_REKEY_ANY 0x00000002
@@ -97,59 +92,38 @@ b\0INIT_ANY\0\
b\1REKEY_ANY\0\
b\2USE_CV\0"
-cprng_strong_t *cprng_strong_create(const char *const, int, int);
+cprng_strong_t *
+ cprng_strong_create(const char *, int, int);
+void cprng_strong_destroy(cprng_strong_t *);
+size_t cprng_strong(cprng_strong_t *, void *, size_t, int);
-size_t cprng_strong(cprng_strong_t *const, void *const, size_t, int);
+struct knote; /* XXX temp, for /dev/random */
+int cprng_strong_kqfilter(cprng_strong_t *, struct knote *); /* XXX " */
+int cprng_strong_poll(cprng_strong_t *, int); /* XXX " */
+void cprng_strong_deplete(cprng_strong_t *); /* XXX " */
-void cprng_strong_destroy(cprng_strong_t *);
-
-extern cprng_strong_t * kern_cprng;
+extern cprng_strong_t *kern_cprng;
static inline uint32_t
cprng_strong32(void)
{
uint32_t r;
cprng_strong(kern_cprng, &r, sizeof(r), 0);
- return r;
+ return r;
}
static inline uint64_t
cprng_strong64(void)
{
- uint64_t r;
+ uint64_t r;
cprng_strong(kern_cprng, &r, sizeof(r), 0);
- return r;
-}
-
-static inline int
-cprng_strong_ready(cprng_strong_t *c)
-{
- int ret = 0;
-
- mutex_enter(&c->mtx);
- if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) {
- ret = 1;
- }
- mutex_exit(&c->mtx);
- return ret;
-}
-
-static inline void
-cprng_strong_deplete(cprng_strong_t *c)
-{
- mutex_enter(&c->mtx);
- c->drbg.reseed_counter = NIST_CTR_DRBG_RESEED_INTERVAL + 1;
- mutex_exit(&c->mtx);
+ return r;
}
-static inline int
+static inline unsigned int
cprng_strong_strength(cprng_strong_t *c)
{
return NIST_BLOCK_KEYLEN_BYTES;
}
-void cprng_init(void);
-int cprng_strong_getflags(cprng_strong_t *const);
-void cprng_strong_setflags(cprng_strong_t *const, int);
-
-#endif
+#endif /* _CPRNG_H */
diff --git a/sys/sys/rnd.h b/sys/sys/rnd.h
index cfab0af..6333c84 100644
--- a/sys/sys/rnd.h
+++ b/sys/sys/rnd.h
@@ -139,23 +139,6 @@ rndsource_setcb(struct krndsource *const rs, void *const
cb, void *const arg)
rs->getarg = arg;
}
-enum rsink_st {
- RSTATE_IDLE = 0,
- RSTATE_PENDING,
- RSTATE_HASBITS
-};
-
-typedef struct rndsink {
- TAILQ_ENTRY(rndsink) tailq; /* the queue */
- kmutex_t mtx; /* lock to seed or unregister */
- enum rsink_st state; /* in-use? filled? */
- void (*cb)(void *); /* callback function when ready */
- void *arg; /* callback function argument */
- char name[16]; /* sink name */
- size_t len; /* how many bytes wanted/supplied */
- uint8_t data[64]; /* random data returned here */
-} rndsink_t;
-
typedef struct {
uint32_t cursor; /* current add point in the pool */
uint32_t rotate; /* how many bits to rotate by */
@@ -183,8 +166,7 @@ void rnd_attach_source(krndsource_t *, const
char *,
uint32_t, uint32_t);
void rnd_detach_source(krndsource_t *);
-void rndsink_attach(rndsink_t *);
-void rndsink_detach(rndsink_t *);
+void rnd_getmore(size_t);
void rnd_seed(void *, size_t);
@@ -256,7 +238,7 @@ typedef struct {
* A context. cprng plus a smidge.
*/
typedef struct {
- struct _cprng_strong *cprng;
+ struct cprng_strong *cprng;
int hard;
int bytesonkey;
kmutex_t interlock;
diff --git a/sys/sys/rndsink.h b/sys/sys/rndsink.h
new file mode 100644
index 0000000..c439ba2
--- /dev/null
+++ b/sys/sys/rndsink.h
@@ -0,0 +1,54 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2013 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Taylor R. Campbell.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYS_RNDSINK_H
+#define _SYS_RNDSINK_H
+
+#ifndef _KERNEL /* XXX */
+#error <sys/rndsink.h> is meant for kernel consumers only.
+#endif
+
+#define RNDSINK_MAX_BYTES 32
+
+struct rndsink;
+
+typedef void rndsink_callback_t(void *, const void *, size_t);
+
+void rndsinks_init(void);
+void rndsinks_distribute(void);
+struct rndsink *
+ rndsink_create(size_t, rndsink_callback_t *, void *);
+void rndsink_destroy(struct rndsink *);
+bool rndsink_request(struct rndsink *, void *, size_t);
+void rndsink_schedule(struct rndsink *);
+void rndsink_commit(struct rndsink *);
+
+#endif /* _SYS_RNDSINK_H */
diff --git a/usr.bin/fstat/misc.c b/usr.bin/fstat/misc.c
index 1d03f7b..0b67bb2 100644
--- a/usr.bin/fstat/misc.c
+++ b/usr.bin/fstat/misc.c
@@ -205,23 +205,9 @@ p_rnd(struct file *f)
dprintf("can't read rnd at %p for pid %d", f->f_data, Pid);
return 0;
}
- (void)printf("* rnd ");
+ (void)printf("* rnd");
if (rp.hard)
- printf("bytesonkey=%d, ", rp.bytesonkey);
- if (rp.cprng) {
- cprng_strong_t cprng;
- if (!KVM_READ(rp.cprng, &cprng, sizeof(cprng))) {
- dprintf("can't read rnd cprng at %p for pid %d",
- rp.cprng, Pid);
- } else {
- char buf[128];
- snprintb(buf, sizeof(buf), CPRNG_FMT, cprng.flags);
- (void)printf("name=%s, serial=%d%s, flags=%s\n",
- cprng.name, cprng.entropy_serial,
- cprng.reseed_pending ? ", reseed" : "", buf);
- return 0;
- }
- }
+ printf(" bytesonkey=%d", rp.bytesonkey);
printf("\n");
return 0;
}
Home |
Main Index |
Thread Index |
Old Index