Commit Graph

47 Commits

Author SHA1 Message Date
simon
ab5beb74a6 Correct a random value disclosure in random(4).
Security:	FreeBSD-SA-07:09.random
2007-11-29 16:06:12 +00:00
rwatson
6dd98d5d4e Rather than repeatedly setting and discarding local variable 'o' based
on the return values of various run-time sysctl additions, just ignore
the return value.

Found with:	Coverity Prevent(tm)
CID:		562
2007-05-27 18:54:58 +00:00
ps
46c91127c8 Remove GIANT from device random.
Submitted by:	ups
2005-12-20 21:41:52 +00:00
ume
73402ef817 stop including rijndael-api-fst.h from rijndael.h.
this is required to integrate opencrypto into crypto.
2005-03-11 15:42:51 +00:00
markm
55fe453be7 Reorganise the entropy device so that high-yield entropy sources
can more easily be used INSTEAD OF the hard-working Yarrow.
The only hardware source used at this point is the one inside
the VIA C3 Nehemiah (Stepping 3 and above) CPU. More sources will
be added in due course. Contributions welcome!
2004-04-09 15:47:10 +00:00
markm
f9c9435156 Overhaul the entropy device:
o Each source gets its own queue, which is a FIFO, not a ring buffer.
  The FIFOs are implemented with the sys/queue.h macros. The separation
  is so that a low entropy/high rate source can't swamp the harvester
  with low-grade entropy and destroy the reseeds.

o Each FIFO is limited to 256 (set as a macro, so adjustable) events
  queueable. Full FIFOs are ignored by the harvester. This is to
  prevent memory wastage, and helps to keep the kernel thread CPU
  usage within reasonable limits.

o There is no need to break up the event harvesting into ${burst}
  sized chunks, so retire that feature.

o Break the device away from its roots with the memory device, and
  allow it to get its major number automagically.
2003-11-17 23:02:21 +00:00
obrien
c63dab466c Use __FBSDID().
Also some minor style cleanups.
2003-08-24 17:55:58 +00:00
markm
824369dc3e Fix a buffer overrun in /dev/random which, due to the nature of the
kernel memory allocator, is harmless. This could be a problem for
other systems, though. I've modified Darren's patch a little.

Original patch by: Darren Schack, Isilon Systems, Inc <darrens@isilon.com>
Also analysed by:  SGI, and in particular Divy Le Ray of SGI
OK'ed by:          re(rwatson)
2002-12-12 17:38:45 +00:00
markm
d858b4fee1 Remove #ifdef'ed Giant mutex wrappers round debugging statements. 2002-09-21 21:44:19 +00:00
markm
2370535caa Upgrade the random device to use a "real" hash instead of building
one out of a block cipher. This has 2 advantages:
1) The code is _much_ simpler
2) We aren't committing our security to one algorithm (much as we
   may think we trust AES).

While I'm here, make an explicit reseed do a slow reseed instead
of a fast; this is in line with what the original paper suggested.
2002-07-15 13:58:35 +00:00
jhb
db9aa81e23 Change callers of mtx_init() to pass in an appropriate lock type name. In
most cases NULL is passed, but in some cases such as network driver locks
(which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used.

Tested on:	i386, alpha, sparc64
2002-04-04 21:03:38 +00:00
markm
1b3c288707 Massive lint-inspired cleanup.
Remove unneeded includes.
Deal with unused function arguments.
Resolve a boatload of signed/unsigned imcompatabilities.
Etc.
2002-03-03 19:44:22 +00:00
msmith
caa458225b Staticise the random_state array.
Reviewed by:	markm
2002-01-10 00:09:21 +00:00
jhb
b47bfbe544 Catch up to header include changes:
- <sys/mutex.h> now requires <sys/systm.h>
- <sys/mutex.h> and <sys/sx.h> now require <sys/lock.h>
2001-03-28 09:17:56 +00:00
markm
e636d5eb80 Fix nasty corruption problem where a 64bit variable was being used
(overflowed) to catch a 256bit result.

Hard work done by:	jhb
2001-03-28 06:27:42 +00:00
markm
ad4dd3b5a2 Very large makeover of the /dev/random driver.
o Separate the kernel stuff from the Yarrow algorithm. Yarrow is now
  well contained in one source file and one header.

o Replace the Blowfish-based crypto routines with Rijndael-based ones.
  (Rijndael is the new AES algorithm). The huge improvement in
  Rijndael's key-agility over Blowfish means that this is an
  extremely dramatic improvement in speed, and makes a heck of
  a difference in its (lack of) CPU load.

o Clean up the sysctl's. At BDE's prompting, I have gone back to
  static sysctls.

o Bug fixes. The streamlining of the crypto stuff enabled me to
  find and fix some bugs. DES also found a bug in the reseed routine
  which is fixed.

o Change the way reseeds clear "used" entropy. Previously, only the
  source(s) that caused a reseed were cleared. Now all sources in the
  relevant pool(s) are cleared.

o Code tidy-up. Mostly to make it (nearly) 80-column compliant.
2001-03-10 12:51:55 +00:00
markm
70d224b106 Take down a comment that is no longer true.
/dev/random is ready for prime time!
2001-03-03 14:35:01 +00:00
markm
ea5e661a0c Make a big improvement to entropy-harvesting speed by not having any
locks (only atomic assigns) in the harvest ringbuffer.
2001-02-11 16:21:35 +00:00
bmilekic
f364d4ac36 Change and clean the mutex lock interface.
mtx_enter(lock, type) becomes:

mtx_lock(lock) for sleep locks (MTX_DEF-initialized locks)
mtx_lock_spin(lock) for spin locks (MTX_SPIN-initialized)

similarily, for releasing a lock, we now have:

mtx_unlock(lock) for MTX_DEF and mtx_unlock_spin(lock) for MTX_SPIN.
We change the caller interface for the two different types of locks
because the semantics are entirely different for each case, and this
makes it explicitly clear and, at the same time, it rids us of the
extra `type' argument.

The enter->lock and exit->unlock change has been made with the idea
that we're "locking data" and not "entering locked code" in mind.

Further, remove all additional "flags" previously passed to the
lock acquire/release routines with the exception of two:

MTX_QUIET and MTX_NOSWITCH

The functionality of these flags is preserved and they can be passed
to the lock/unlock routines by calling the corresponding wrappers:

mtx_{lock, unlock}_flags(lock, flag(s)) and
mtx_{lock, unlock}_spin_flags(lock, flag(s)) for MTX_DEF and MTX_SPIN
locks, respectively.

Re-inline some lock acq/rel code; in the sleep lock case, we only
inline the _obtain_lock()s in order to ensure that the inlined code
fits into a cache line. In the spin lock case, we inline recursion and
actually only perform a function call if we need to spin. This change
has been made with the idea that we generally tend to avoid spin locks
and that also the spin locks that we do have and are heavily used
(i.e. sched_lock) do recurse, and therefore in an effort to reduce
function call overhead for some architectures (such as alpha), we
inline recursion for this case.

Create a new malloc type for the witness code and retire from using
the M_DEV type. The new type is called M_WITNESS and is only declared
if WITNESS is enabled.

Begin cleaning up some machdep/mutex.h code - specifically updated the
"optimized" inlined code in alpha/mutex.h and wrote MTX_LOCK_SPIN
and MTX_UNLOCK_SPIN asm macros for the i386/mutex.h as we presently
need those.

Finally, caught up to the interface changes in all sys code.

Contributors: jake, jhb, jasone (in no particular order)
2001-02-09 06:11:45 +00:00
asmodai
fad0d5dcfa Fix typos: initalise -> initialise.
Initalise is not an english word.
2001-02-08 20:28:57 +00:00
markm
fde03d4ba0 Remove NOBLOCKRANDOM as a compile-time option. Instead, provide
exactly the same functionality via a sysctl, making this feature
a run-time option.

The default is 1(ON), which means that /dev/random device will
NOT block at startup.

setting kern.random.sys.seeded to 0(OFF) will cause /dev/random
to block until the next reseed, at which stage the sysctl
will be changed back to 1(ON).

While I'm here, clean up the sysctls, and make them dynamic.
Reviewed by:		des
Tested on Alpha by:	obrien
2001-01-14 17:50:15 +00:00
wollman
70c88bb8da select() DKI is now in <sys/selinfo.h>. 2001-01-09 04:33:49 +00:00
markm
d04b66b7bc Major speedup to /dev/random and the kernel thread that reseeds it.
There is no more TAILQ fifo to harvest the entropy; instead, there
is a circular buffer of constant size (changeable by macro) that
pretty dramatically improves the speed and fixes potential slowdowns-
by-locking.

Also gone are a slew of malloc(9) and free(9) calls; all harvesting
buffers are static.

All-in-all, this is a good performance improvement.

Thanks-to:	msmith for the circular buffer concept-code.
2000-12-02 18:40:16 +00:00
markm
6ac673bf3c Greatly improve the boot-up unblocking time of the entropy device. 2000-11-25 19:13:29 +00:00
markm
9ec7bc0451 Stop explicitly using nanotime(9) and use the new get_cyclecounter(9)
call instead.

This makes a pretty dramatic difference to the amount of work that
the harvester needs to do - it is much friendlier on the system.
(80386 and 80486 class machines will notice little, as the new
get_cyclecounter() call is a wrapper round nanotime(9) for them).
2000-11-25 17:09:01 +00:00
phk
94a5006c9a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
jhb
d944886e4d Catch up to moving headers:
- machine/ipl.h -> sys/ipl.h
- machine/mutex.h -> sys/mutex.h
2000-10-20 07:58:15 +00:00
markm
a8d2363750 After some complaints about the dir names, the random device is
now in dirs called sys/*/random/ instead of sys/*/randomdev/*.

Introduce blocking, but only at startup; the random device will
block until the first reseed happens to prevent clients from
using untrustworthy output.

Provide a read_random() call for the rest of the kernel so that
the entropy device does not need to be present. This means that
things like IPX no longer need to have "device random" hardcoded
into thir kernel config. The downside is that read_random() will
provide very poor output until the entropy device is loaded and
reseeded. It is recommended that developers do NOT use the
read_random() call; instead, they should use arc4random() which
internally uses read_random().

Clean up the mutex and locking code a bit; this makes it possible
to unload the module again.
2000-10-14 10:59:56 +00:00
markm
2e74df8cf9 Remove unneeded includes.
Submitted by:	phk
2000-09-21 06:23:16 +00:00
jhb
ebc05310ca Remove the mtx_t, witness_t, and witness_blessed_t types. Instead, just
use struct mtx, struct witness, and struct witness_blessed.

Requested by:	bde
2000-09-14 20:15:16 +00:00
markm
8310a08654 The "struct proc" argument to read_random was ill-conceived, and a
hangover from previous experimentation. Remove it. This will clean
up gratuitous needs for forward references and other namespace
pollution.
Moaned about by:	bde
Brought to my attention by:	bp
2000-09-12 13:13:22 +00:00
jhb
5a1ae8110e Move the prototypes for random_set_wakeup* from yarrow.c to yarrow.h so that
both yarrow.c and harvest.c can use them.

Approved by:	markm
2000-09-11 19:31:28 +00:00
jhb
0ccc0648b7 - Use RFHIGHPID when creating the kthread to get a more sensible pid.
- Don't fake walking a tailq.  Instead, use a while loop that pulls items
  off the head of the queue while the queue is not empty.
2000-09-11 04:09:08 +00:00
markm
bda6631159 Large upgrade to the entropy device; mainly inspired by feedback
from many folk.

o The reseed process is now a kthread. With SMPng, kthreads are
  pre-emptive, so the annoying jerkiness of the mouse is gone.

o The data structures are protected by mutexes now, not splfoo()/splx().

o The cryptographic routines are broken out into their own subroutines.
  this facilitates review, and possible replacement if that is ever
  found necessary.

Thanks to:		kris, green, peter, jasone, grog, jhb
Forgotten to thank:	You know who you are; no offense intended.
2000-09-10 13:52:19 +00:00
markm
12a237a692 o Fix a horrible bug where small reads (< 8 bytes) would return the
wrong bytes.

o Improve the public interface; use void* instead of char* or u_int64_t
  to pass arbitrary data around.
Submitted by:	kris ("horrible bug")
2000-07-25 21:18:47 +00:00
markm
5cdbfcb1a2 Clean this up with some BDE-inspired fixes.
o Make the comments KNF-compliant.
o Use nanotime instead of getnanotime; the manpage lies about the
  kern.timecounter.method - it has been removed.
o Fix the ENTROPYSOURCE const permanently.
o Make variable names more consistent.
o Make function prototypes more consistent.

Some more needs to be done; to follow.
2000-07-23 11:08:16 +00:00
markm
8d78207585 Add randomness write functionality. This does absolutely nothing for
entropy estimation, but causes an immediate reseed after the input
(read in sizeof(u_int64_t) chunks) is "harvested".

This will be used in the reboot "reseeder", coming in another
commit. This can be used very effectively at any time you think
your randomness is compromised; something like

# (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random

will give the attacker something to think about.
2000-07-17 12:23:04 +00:00
markm
5812cc4cc4 Storing to a pointer is (effectively) atomic; no need to protect this
with splhigh(). However, the entropy-harvesting routine needs pretty
serious irq-protection, as it is called out of irq handlers etc.

Clues given by:	bde
2000-07-11 19:37:25 +00:00
markm
e07f67dda2 I think I need to move the newly static variables to the random_state
structure; remind myself in the cooments. Also regroup all the Yarrow
variables at the top of the variable list; they are "special".
(no functional change).
2000-07-11 18:35:33 +00:00
green
7402d1359e One should never allocate 4-kilobyte structs and such on the interrupt
stack.  It's bad for your machine's health.

Make the two huge structs in reseed() static to prevent crashes.  This
is the bug that people have been running into and panic()ing on for the
past few days.

Reviewed by:	phk
2000-07-11 06:47:38 +00:00
markm
950c011f72 Provide more splsofttq() protection for the reseed task (running out of
taskqueue_swi).
2000-07-10 06:40:23 +00:00
markm
40b3a303c2 Make sure that tasks (running out of taskqueue_swi at splsofttq)
are not interfered with by the harvester.
2000-07-09 16:00:31 +00:00
markm
89ca691934 Yarrow tweaks; separate the fast and slow reseed tasks so that they don't
stomp on each other; provide constant names (as enums) for the harvester
to use (makes it more self-documenting).
2000-07-09 11:52:12 +00:00
markm
3d0396c734 Add entropy gathering code. This will work whether the module is
compiled in or loaded.
2000-07-07 09:03:59 +00:00
markm
291b197f61 style(9) fixes from BDE.
We shouldn't use '#include ""', rather '#include<>'.
2000-06-26 12:14:20 +00:00
markm
3666dff9ff Fix include for non-module case.
Thanks-to:	SOS
2000-06-25 20:03:44 +00:00
markm
c46e65268d New machine-independant /dev/random driver.
This is work-in-progress, and the entropy-gathering routines are not
yet present. As such, this should be viewed as a pretty reasonable
PRNG with _ABSOLUTELY_NO_ security!!

Entropy gathering will be the subject of ongoing work.

This is written as a module, and as such is unloadable, but there is
no refcounting done. I would like to use something like device_busy(9)
to achieve this (eventually).

Lots of useful ideas from:	bde, phk, Jeroen van Gelderen

Reviewed by:	dfr
2000-06-25 08:38:58 +00:00