tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Patch: new random pseudodevice



I have placed a patch at http://www.panix.com/~tls/rndpseudo.diff
which removes direct userspace access to the kernel entropy pool.  It
is replaced with the NIST SP 800-90 CTR_DRBG generator, separately
keyed per pseudodevice open (actually, keyed on first read or select so
opens don't themselves consume entropy).

The urandom device node will key the generator and output data even if the
kernel entropy pool estimates that it does not have enough bits to
provide an AES-128 key with ful entropy.  The random device node will block
until sufficient bits are available from the pool to key the generator.

Nonblocking/select/poll semantics should be the same as with the old
code -- I have test cases for this.

This generator is approximately 20 times as fast as the old generator
(dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of 2.5MB/sec)
and also uses a separate mutex per instance so concurrency is greatly
improved.

I have also fixed various bugs (including some missing locking and a
reseed-counter overflow in the CTR_DRBG code) while testing this.  I
am sure there are new bugs too.

I intend to check this in by Monday, December 12, and then, in a
separate step, move the remaining code from "rnd.c" and "rndpool.c"
to sys/kern from sys/dev, since it is no longer device code.  So, if
you have comments -- soon, please.

Thanks!

Thor


Home | Main Index | Thread Index | Old Index