Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Jun 2015 17:00:45 +0000 (UTC)
From:      Mark Murray <markm@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r284959 - in head: . share/man/man4 share/man/man9 sys/conf sys/dev/glxsb sys/dev/hifn sys/dev/random sys/dev/rndtest sys/dev/safe sys/dev/syscons sys/dev/ubsec sys/dev/virtio/random sy...
Message-ID:  <201506301700.t5UH0jPq001498@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: markm
Date: Tue Jun 30 17:00:45 2015
New Revision: 284959
URL: https://svnweb.freebsd.org/changeset/base/284959

Log:
  Huge cleanup of random(4) code.
  
  * GENERAL
  - Update copyright.
  - Make kernel options for RANDOM_YARROW and RANDOM_DUMMY. Set
    neither to ON, which means we want Fortuna
  - If there is no 'device random' in the kernel, there will be NO
    random(4) device in the kernel, and the KERN_ARND sysctl will
    return nothing. With RANDOM_DUMMY there will be a random(4) that
    always blocks.
  - Repair kern.arandom (KERN_ARND sysctl). The old version went
    through arc4random(9) and was a bit weird.
  - Adjust arc4random stirring a bit - the existing code looks a little
    suspect.
  - Fix the nasty pre- and post-read overloading by providing explictit
    functions to do these tasks.
  - Redo read_random(9) so as to duplicate random(4)'s read internals.
    This makes it a first-class citizen rather than a hack.
  - Move stuff out of locked regions when it does not need to be
    there.
  - Trim RANDOM_DEBUG printfs. Some are excess to requirement, some
    behind boot verbose.
  - Use SYSINIT to sequence the startup.
  - Fix init/deinit sysctl stuff.
  - Make relevant sysctls also tunables.
  - Add different harvesting "styles" to allow for different requirements
    (direct, queue, fast).
  - Add harvesting of FFS atime events. This needs to be checked for
    weighing down the FS code.
  - Add harvesting of slab allocator events. This needs to be checked for
    weighing down the allocator code.
  - Fix the random(9) manpage.
  - Loadable modules are not present for now. These will be re-engineered
    when the dust settles.
  - Use macros for locks.
  - Fix comments.
  
  * src/share/man/...
  - Update the man pages.
  
  * src/etc/...
  - The startup/shutdown work is done in D2924.
  
  * src/UPDATING
  - Add UPDATING announcement.
  
  * src/sys/dev/random/build.sh
  - Add copyright.
  - Add libz for unit tests.
  
  * src/sys/dev/random/dummy.c
  - Remove; no longer needed. Functionality incorporated into randomdev.*.
  
  * live_entropy_sources.c live_entropy_sources.h
  - Remove; content moved.
  - move content to randomdev.[ch] and optimise.
  
  * src/sys/dev/random/random_adaptors.c src/sys/dev/random/random_adaptors.h
  - Remove; plugability is no longer used. Compile-time algorithm
    selection is the way to go.
  
  * src/sys/dev/random/random_harvestq.c src/sys/dev/random/random_harvestq.h
  - Add early (re)boot-time randomness caching.
  
  * src/sys/dev/random/randomdev_soft.c src/sys/dev/random/randomdev_soft.h
  - Remove; no longer needed.
  
  * src/sys/dev/random/uint128.h
  - Provide a fake uint128_t; if a real one ever arrived, we can use
    that instead. All that is needed here is N=0, N++, N==0, and some
    localised trickery is used to manufacture a 128-bit 0ULLL.
  
  * src/sys/dev/random/unit_test.c src/sys/dev/random/unit_test.h
  - Improve unit tests; previously the testing human needed clairvoyance;
    now the test will do a basic check of compressibility. Clairvoyant
    talent is still a good idea.
  - This is still a long way off a proper unit test.
  
  * src/sys/dev/random/fortuna.c src/sys/dev/random/fortuna.h
  - Improve messy union to just uint128_t.
  - Remove unneeded 'static struct fortuna_start_cache'.
  - Tighten up up arithmetic.
  - Provide a method to allow eternal junk to be introduced; harden
    it against blatant by compress/hashing.
  - Assert that locks are held correctly.
  - Fix the nasty pre- and post-read overloading by providing explictit
    functions to do these tasks.
  - Turn into self-sufficient module (no longer requires randomdev_soft.[ch])
  
  * src/sys/dev/random/yarrow.c src/sys/dev/random/yarrow.h
  - Improve messy union to just uint128_t.
  - Remove unneeded 'staic struct start_cache'.
  - Tighten up up arithmetic.
  - Provide a method to allow eternal junk to be introduced; harden
    it against blatant by compress/hashing.
  - Assert that locks are held correctly.
  - Fix the nasty pre- and post-read overloading by providing explictit
    functions to do these tasks.
  - Turn into self-sufficient module (no longer requires randomdev_soft.[ch])
  - Fix some magic numbers elsewhere used as FAST and SLOW.
  
  Differential Revision: https://reviews.freebsd.org/D2025
  Reviewed by: vsevolod,delphij,rwatson,trasz,jmg
  Approved by: so (delphij)

Added:
  head/sys/dev/random/randomdev_none.c   (contents, props changed)
     - copied, changed from r284956, head/sys/dev/random/randomdev_soft.h
Deleted:
  head/sys/dev/random/dummy_rng.c
  head/sys/dev/random/live_entropy_sources.c
  head/sys/dev/random/live_entropy_sources.h
  head/sys/dev/random/random_adaptors.c
  head/sys/dev/random/random_adaptors.h
  head/sys/dev/random/randomdev_soft.c
  head/sys/dev/random/randomdev_soft.h
  head/sys/modules/random/Makefile
Modified:
  head/UPDATING
  head/share/man/man4/random.4
  head/share/man/man9/random.9
  head/share/man/man9/random_harvest.9
  head/sys/conf/files
  head/sys/conf/options
  head/sys/dev/glxsb/glxsb.c
  head/sys/dev/hifn/hifn7751.c
  head/sys/dev/random/build.sh
  head/sys/dev/random/fortuna.c
  head/sys/dev/random/fortuna.h
  head/sys/dev/random/hash.c
  head/sys/dev/random/hash.h
  head/sys/dev/random/ivy.c
  head/sys/dev/random/nehemiah.c
  head/sys/dev/random/random_harvestq.c
  head/sys/dev/random/random_harvestq.h
  head/sys/dev/random/randomdev.c
  head/sys/dev/random/randomdev.h
  head/sys/dev/random/uint128.h
  head/sys/dev/random/unit_test.c
  head/sys/dev/random/unit_test.h
  head/sys/dev/random/yarrow.c
  head/sys/dev/random/yarrow.h
  head/sys/dev/rndtest/rndtest.c
  head/sys/dev/safe/safe.c
  head/sys/dev/syscons/scmouse.c
  head/sys/dev/syscons/syscons.c
  head/sys/dev/ubsec/ubsec.c
  head/sys/dev/virtio/random/virtio_random.c
  head/sys/dev/vt/vt_core.c
  head/sys/dev/vt/vt_sysmouse.c
  head/sys/fs/tmpfs/tmpfs_subr.c
  head/sys/kern/kern_intr.c
  head/sys/kern/kern_mib.c
  head/sys/kern/subr_bus.c
  head/sys/libkern/arc4random.c
  head/sys/libkern/random.c
  head/sys/mips/cavium/octeon_rnd.c
  head/sys/mips/conf/AR71XX_BASE
  head/sys/mips/conf/AR724X_BASE
  head/sys/mips/conf/AR91XX_BASE
  head/sys/mips/conf/AR933X_BASE
  head/sys/mips/conf/AR934X_BASE
  head/sys/mips/conf/PB92
  head/sys/mips/conf/QCA955X_BASE
  head/sys/mips/conf/RT305X
  head/sys/modules/Makefile
  head/sys/modules/crypto/Makefile
  head/sys/net/if_ethersubr.c
  head/sys/net/if_tun.c
  head/sys/netgraph/ng_iface.c
  head/sys/sys/kernel.h
  head/sys/sys/random.h
  head/sys/ufs/ffs/ffs_inode.c
  head/sys/vm/uma_core.c

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/UPDATING	Tue Jun 30 17:00:45 2015	(r284959)
@@ -31,6 +31,41 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20150630:
+	The default kernel entropy-processing algorithm is now
+	Fortuna, replacing Yarrow.
+
+	Assuming you have 'device random' in your kernel config
+	file, the configurations allow a kernel option to override
+	this default. You may choose *ONE* of:
+
+	options	RANDOM_YARROW	# Legacy /dev/random algorithm.
+	options	RANDOM_DUMMY	# Blocking-only driver.
+
+	If you have neither, you get Fortuna.  For most people,
+	read no further, Fortuna will give a /dev/random that works
+	like it always used to, and the difference will be irrelevant.
+
+	If you remove 'device random', you get *NO* kernel-processed
+	entopy at all. This may be acceptable to folks building
+	embedded systems, but has complications. Carry on reading,
+	and it is assumed you know what you need.
+
+	*PLEASE* read random(4) and random(9) if you are in the
+	habit of tweeking kernel configs, and/or if you are a member
+	of the embedded community, wanting specific and not-usual
+	behaviour from your security subsystems.
+
+	NOTE!! If you use RANDOM_DUMMY and/or have no 'device
+	random', you will NOT have a functioning /dev/random, and
+	many cryptographic features will not work, including SSH.
+	You may also find strange behaviour from the random(3) set
+	of library functions, in particular sranddev(3), srandomdev(3)
+	and arc4random(3). The reason for this is that the KERN_ARND
+	sysctl only returns entropy if it thinks it has some to
+	share, and with RANDOM_DUMMY or no 'device random' this
+	will never happen.
+
 20150623:
 	An additional fix for the issue described in the 20150614 sendmail
 	entry below has been been committed in revision 284717.

Modified: head/share/man/man4/random.4
==============================================================================
--- head/share/man/man4/random.4	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/share/man/man4/random.4	Tue Jun 30 17:00:45 2015	(r284959)
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2001-2013	Mark R V Murray.  All rights reserved.
+.\" Copyright (c) 2001-2015	Mark R V Murray.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -23,7 +23,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 12, 2013
+.Dd June 30, 2015
 .Dt RANDOM 4
 .Os
 .Sh NAME
@@ -37,31 +37,32 @@ The
 device
 returns an endless supply of random bytes when read.
 It also accepts and reads data
-as any ordinary (and willing) file,
-but discards data written to it.
-The device will probe for
-certain hardware entropy sources,
-and use these in preference to the fallback,
-which is a generator implemented in software.
+as any ordinary file.
 .Pp
-The software generator will start in an
+The generator will start in an
 .Em unseeded
 state, and will block reads until
-it is (re)seeded.
+it is seeded for the first time.
 This may cause trouble at system boot
 when keys and the like
 are generated from
-/dev/random
+.Xr random 4
 so steps should be taken to ensure a
-reseed as soon as possible.
-The
-.Xr sysctl 8
-controlling the
-.Em seeded
-status (see below) may be used
-if security is not an issue
-or for convenience
-during setup or development.
+seeding as soon as possible.
+.Pp
+It is also possible
+to read random bytes
+by using the KERN_ARND sysctl.
+On the command line
+this could be done by
+.Pp
+.Dl "sysctl -x -B 16 kern.arandom"
+.Pp
+This sysctl will not return
+random bytes unless
+the
+.Xr random 4
+is seeded.
 .Pp
 This initial seeding
 of random number generators
@@ -90,101 +91,57 @@ To see the current settings of the softw
 .Nm
 device, use the command line:
 .Pp
-.Dl sysctl kern.random
+.Dl "sysctl kern.random"
 .Pp
 which results in something like:
 .Bd -literal -offset indent
-kern.random.adaptors: yarrow,dummy
-kern.random.active_adaptor: yarrow
-kern.random.yarrow.gengateinterval: 10
-kern.random.yarrow.bins: 10
-kern.random.yarrow.fastthresh: 96
-kern.random.yarrow.slowthresh: 128
-kern.random.yarrow.slowoverthresh: 2
-kern.random.sys.seeded: 1
-kern.random.sys.harvest.ethernet: 1
-kern.random.sys.harvest.point_to_point: 1
-kern.random.sys.harvest.interrupt: 1
-kern.random.sys.harvest.swi: 1
+kern.random.fortuna.minpoolsize: 64
+kern.random.harvest.mask_symbolic: [HIGH_PERFORMANCE], ... ,CACHED
+kern.random.harvest.mask_bin: 00111111111
+kern.random.harvest.mask: 511
+kern.random.random_sources: 'Intel Secure Key RNG'
 .Ed
 .Pp
 Other than
-.Dl kern.random.adaptors
-all settings are read/write.
-.Pp
-The
-.Va kern.random.sys.seeded
-variable indicates whether or not the
-.Nm
-device is in an acceptably secure state
-as a result of reseeding.
-If set to 0,
-the device will block (on read)
-until the next reseed
-as a result of entropy harvesting.
-A reseed will set the value to 1 (non-blocking).
-.Pp
-The
-.Va kern.random.sys.harvest.ethernet
-variable is used to select LAN traffic as an entropy source.
-A 0 (zero) value means that LAN traffic
-is not considered as an entropy source.
-Set the variable to 1 (one)
-if you wish to use LAN traffic for entropy harvesting.
+.Dl kern.random.fortuna.minpoolsize
+and
+.Dl kern.random.harvest.mask
+all settings are read-only.
 .Pp
 The
-.Va kern.random.sys.harvest.point_to_point
-variable is used to select serial line traffic as an entropy source.
-(Serial line traffic includes PPP, SLIP and all tun0 traffic.)
-A 0 (zero) value means such traffic
-is not considered as an entropy source.
-Set the variable to 1 (one)
-if you wish to use it for entropy harvesting.
+.Pa kern.random.fortuna.minpoolsize
+sysctl is used
+to set the seed threshhold.
+A smaller number gives a faster seed,
+but a less secure one.
+In practice,
+values between 64 and 256
+are acceptable.
 .Pp
 The
-.Va kern.random.sys.harvest.interrupt
-variable is used to select hardware interrupts
+.Va kern.random.harvest.mask
+bitmask is used to select
+the possible entropy sources.
+A 0 (zero) value means
+the corresponding source
+is not considered
 as an entropy source.
-A 0 (zero) value means hardware interrupts
-are not considered as an entropy source.
-Set the variable to 1 (one)
-if you wish to use them for entropy harvesting.
-All hardware interrupt harvesting is set up by the
-individual device drivers.
-.Pp
+Set the bit to 1 (one)
+if you wish to use
+that source.
 The
-.Va kern.random.sys.harvest.swi
-variable is used to select software interrupts
-as an entropy source.
-A 0 (zero) value means software interrupts
-are not considered as an entropy source.
-Set the variable to 1 (one)
-if you wish to use them for entropy harvesting.
-.Pp
-The other variables are explained in the paper describing the
-.Em Yarrow
-algorithm at
-.Pa http://www.schneier.com/yarrow.html .
-.Pp
-These variables are all limited
-in terms of the values they may contain:
-.Bl -tag -width "kern.random.yarrow.gengateinterval" -compact -offset indent
-.It Va kern.random.yarrow.gengateinterval
-.Bq 4..64
-.It Va kern.random.yarrow.bins
-.Bq 2..16
-.It Va kern.random.yarrow.fastthresh
-.Bq 64..256
-.It Va kern.random.yarrow.slowthresh
-.Bq 64..256
-.It Va kern.random.yarrow.slowoverthresh
-.Bq 1..5
-.El
-.Pp
-Internal
-.Xr sysctl 3
-handlers force the above variables
-into the stated ranges.
+.Va kern.random.harvest.mask_bin
+and
+.Va kern.random.harvest.mask_symbolic
+sysctl
+can be used confirm
+that your choices are correct.
+Note that disabled items
+in the latter item
+are listed in square brackets.
+See
+.Xr random_harvest 9
+for more on the harvesting of entropy.
 .Sh RANDOMNESS
 The use of randomness in the field of computing
 is a rather subtle issue because randomness means
@@ -308,23 +265,36 @@ so its use is discouraged.
 .Xr RAND_add 3 ,
 .Xr RAND_bytes 3 ,
 .Xr random 3 ,
-.Xr sysctl 8
+.Xr sysctl 8 ,
+.Xr random 9
+.Rs
+.%A Ferguson
+.%A Schneier
+.%A Kohno
+.%B Cryptography Engineering
+.%I Wiley
+.%O ISBN 978-0-470-47424-2
+.Re
 .Sh HISTORY
 A
 .Nm
 device appeared in
 .Fx 2.2 .
-The early version was taken from Theodore Ts'o's entropy driver for Linux.
 The current software implementation,
 introduced in
-.Fx 5.0 ,
-is a complete rewrite by
+.Fx 10.0 ,
+is by
 .An Mark R V Murray ,
 and is an implementation of the
-.Em Yarrow
-algorithm by Bruce Schneier,
+.Em Fortuna
+algorithm by Ferguson
 .Em et al .
-Significant infrastructure work was done by Arthur Mesh.
-.Pp
-The author gratefully acknowledges
-significant assistance from VIA Technologies, Inc.
+It replaces the previous
+.Em Yarrow
+implementation,
+introduced in
+.Fx 5.0 .
+The older
+.Em Yarrow
+algorithm remains available
+as a compile-time fallback.

Modified: head/share/man/man9/random.9
==============================================================================
--- head/share/man/man9/random.9	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/share/man/man9/random.9	Tue Jun 30 17:00:45 2015	(r284959)
@@ -1,4 +1,6 @@
 .\"
+.\" Copyright (c) 2015
+.\"	Mark R V Murray
 .\" Copyright (c) 2000
 .\"	The Regents of the University of California.  All rights reserved.
 .\"
@@ -26,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\" "
-.Dd September 25, 2000
+.Dd June 30, 2015
 .Dt RANDOM 9
 .Os
 .Sh NAME
@@ -53,11 +55,12 @@
 .Sh DESCRIPTION
 The
 .Fn random
-function will by default produce a sequence of numbers that can be duplicated
+function will by default produce
+a sequence of numbers
+that can be duplicated
 by calling
 .Fn srandom
-with
-.Ql 1
+with some constant
 as the
 .Fa seed .
 The
@@ -67,19 +70,28 @@ function may be called with any arbitrar
 value to get slightly more unpredictable numbers.
 It is important to remember that the
 .Fn random
-function is entirely predictable, and is therefore not of use where
-knowledge of the sequence of numbers may be of benefit to an attacker.
+function is entirely predictable,
+and is therefore not of use where
+knowledge of the sequence of numbers
+may be of benefit to an attacker.
 .Pp
 The
 .Fn arc4rand
-function will return very good quality random numbers, slightly better
-suited for security-related purposes.
+function will return very good quality random numbers,
+better suited
+for security-related purposes.
 The random numbers from
 .Fn arc4rand
-are seeded from the entropy device if it is available.
-Automatic reseeds happen after a certain timeinterval and after a
-certain number of bytes have been delivered.
-A forced reseed can be forced by passing a non-zero value in the
+are seeded from the entropy device
+if it is available.
+Automatic reseeds happen
+after a certain timeinterval
+and after a certain number of bytes
+have been delivered.
+A forced reseed
+can be forced
+by passing a non-zero
+value in the
 .Fa reseed
 argument.
 .Pp
@@ -90,19 +102,24 @@ if it has been loaded.
 If the entropy device is not loaded, then
 the
 .Fa buffer
-is filled with output generated by
-.Fn random .
+is ignored
+and zero is returned.
 The
 .Fa buffer
 is filled with no more than
 .Fa count
 bytes.
-It is advised that
+It is strongly advised that
 .Fn read_random
-is not used; instead use
+is not used;
+instead use
 .Fn arc4rand
+unless it is
+necessary to know
+that no entropy
+has been returned.
 .Pp
-All the bits generated by
+All the bits returned by
 .Fn random ,
 .Fn arc4rand
 and
@@ -120,32 +137,38 @@ to return a 32 bit pseudo-random integer
 .Sh RETURN VALUES
 The
 .Fn random
-function
-uses a non-linear additive feedback random number generator employing a
-default table of size 31 long integers to return successive pseudo-random
+function uses
+a non-linear additive feedback random number generator
+employing a default table
+of size 31
+containing long integers
+to return successive pseudo-random
 numbers in the range from 0 to
 .if t 2\u\s731\s10\d\(mi1.
 .if n (2**31)\(mi1.
-The period of this random number generator is very large, approximately
+The period of this random number generator
+is very large,
+approximately
 .if t 16\(mu(2\u\s731\s10\d\(mi1).
 .if n 16*((2**31)\(mi1).
 .Pp
 The
 .Fn arc4rand
-function uses the RC4 algorithm to generate successive pseudo-random
-bytes.
+function uses the RC4 algorithm
+to generate successive pseudo-random bytes.
 The
 .Fn arc4random
-function
-uses
+function uses
 .Fn arc4rand
-to generate pseudo-random numbers in the range from 0 to
+to generate pseudo-random numbers
+in the range from 0 to
 .if t 2\u\s732\s10\d\(mi1.
 .if n (2**32)\(mi1.
 .Pp
 The
 .Fn read_random
-function returns the number of bytes placed in
+function returns
+the number of bytes placed in
 .Fa buffer .
 .Sh AUTHORS
 .An Dan Moschuk

Modified: head/share/man/man9/random_harvest.9
==============================================================================
--- head/share/man/man9/random_harvest.9	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/share/man/man9/random_harvest.9	Tue Jun 30 17:00:45 2015	(r284959)
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2002 Mark R V Murray
+.\" Copyright (c) 2002-2015 Mark R V Murray
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 6, 2002
+.Dd June 30, 2015
 .Dt RANDOM_HARVEST 9
 .Os
 .Sh NAME
@@ -35,59 +35,93 @@
 .In sys/types.h
 .In sys/random.h
 .Ft void
-.Fo random_harvest
+.Fo random_harvest_direct
+.Fa "void *entropy"
+.Fa "u_int size"
+.Fa "u_int bits"
+.Fa "enum esource source"
+.Fc
+.Ft void
+.Fo random_harvest_fast
+.Fa "void *entropy"
+.Fa "u_int size"
+.Fa "u_int bits"
+.Fa "enum esource source"
+.Fc
+.Ft void
+.Fo random_harvest_queue
 .Fa "void *entropy"
 .Fa "u_int size"
 .Fa "u_int bits"
-.Fa "u_int frac"
 .Fa "enum esource source"
 .Fc
 .Sh DESCRIPTION
 The
-.Fn random_harvest
-function is used by device drivers
+.Fn random_harvest_*
+functions are used by device drivers
 and other kernel processes to pass data
 that is considered (at least partially) stochastic
 to the entropy device.
 .Pp
-The caller should pass a pointer (to no more than 16 bytes) of
-the
+The caller should pass
+a pointer pointing to the
 .Dq random
 data in
 .Fa entropy .
 The argument
 .Fa size
 contains the number of bytes pointed to.
-The caller should
+The
+.Fa source
+is chosen from one of
+the values enumerated in
+.Pa sys/dev/random.h .
+and is used to indicate the source of the entropy.
+.Pp
+The
+.Fo random_harvest_direct
+.Fc
+variant is used
+for early harvesting
+before any multitasking
+is enabled.
+.Pp
+The
+.Fn random_harvest_fast
+variant is used
+by sources that
+should not take
+a performance hit
+from harvesting,
+as they are high-rate
+sources.
+Some entropy is sacrificed,
+but the hig rate of supply
+will compensate for this.
+.Pp
+The
+.Fn random_harvest_queue
+variant is used
+for general harvesting
+and is the default
+choice for most entropy sources
+such as interrupts
+or console events.
+.Pp
+The
+.Fa bits
+argument is only used
+by the deprecated Yarrow algorithm.
+For compatibility,
+the caller should
 .Em "very conservatively"
 estimate the number of random bits
 in the sample,
 and pass this in
-.Fa bits
-or
-.Fa frac .
-If the estimated number of bits per sample is an integer, then
-.Fa bits
-is used, and
-.Fa frac
-is 0.
-Otherwise,
-for low-entropy samples,
-.Dq fractional
-entropy can be supplied in
-.Fa frac .
-(This is considered to be
-.Fa frac /
-1024 bits of entropy.)
-The
-.Fa source
-is chosen from
-.Dv RANDOM_WRITE , RANDOM_KEYBOARD , RANDOM_MOUSE , RANDOM_NET
-and
-.Dv RANDOM_INTERRUPT ,
-and is used to indicate the source of the entropy.
+.Fa bits .
 .Pp
-Interrupt harvesting has been simplified
+Interrupt harvesting has been
+in part simplified simplified
 for the kernel programmer.
 If a device driver registers an interrupt handler
 with
@@ -101,6 +135,7 @@ bit in the
 .Fa flags
 argument to have that interrupt source
 be used for entropy harvesting.
+This should be done wherever practicable.
 .Sh SEE ALSO
 .Xr random 4 ,
 .Xr BUS_SETUP_INTR 9

Modified: head/sys/conf/files
==============================================================================
--- head/sys/conf/files	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/conf/files	Tue Jun 30 17:00:45 2015	(r284959)
@@ -528,14 +528,14 @@ crypto/des/des_ecb.c		optional crypto | 
 crypto/des/des_setkey.c		optional crypto | ipsec | netsmb
 crypto/rc4/rc4.c		optional netgraph_mppc_encryption | kgssapi
 crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
-					 ipsec | random | wlan_ccmp
-crypto/rijndael/rijndael-api-fst.c optional geom_bde | random
+					 ipsec | random random_yarrow | random !random_yarrow !random_dummy | wlan_ccmp
+crypto/rijndael/rijndael-api-fst.c optional geom_bde | random random_yarrow | random !random_yarrow !random_dummy
 crypto/rijndael/rijndael-api.c	optional crypto | ipsec | wlan_ccmp
 crypto/sha1.c			optional carp | crypto | ipsec | \
 					 netgraph_mppc_encryption | sctp
-crypto/sha2/sha2.c		optional crypto | geom_bde | ipsec | random | \
+crypto/sha2/sha2.c		optional crypto | geom_bde | ipsec | random random_yarrow | random !random_yarrow !random_dummy | \
 					 sctp | zfs
-crypto/sha2/sha256c.c		optional crypto | geom_bde | ipsec | random | \
+crypto/sha2/sha256c.c		optional crypto | geom_bde | ipsec | random random_yarrow | random !random_yarrow !random_dummy | \
 					 sctp | zfs
 crypto/siphash/siphash.c	optional inet | inet6
 crypto/siphash/siphash_test.c	optional inet | inet6
@@ -2139,15 +2139,12 @@ rt2860.fw			optional rt2860fw | ralfw		\
 	compile-with	"${NORMAL_FW}"					\
 	no-obj no-implicit-rule						\
 	clean		"rt2860.fw"
-dev/random/randomdev.c		standard
-dev/random/random_adaptors.c	standard
-dev/random/dummy_rng.c		standard
-dev/random/live_entropy_sources.c	standard
-dev/random/random_harvestq.c	standard
-dev/random/randomdev_soft.c	optional random
-dev/random/yarrow.c		optional random
-dev/random/fortuna.c		optional random
-dev/random/hash.c		optional random
+dev/random/randomdev_none.c	optional !random
+dev/random/randomdev.c		optional random
+dev/random/random_harvestq.c	optional random random_yarrow | random !random_dummy
+dev/random/yarrow.c		optional random random_yarrow
+dev/random/fortuna.c		optional random !random_yarrow !random_dummy
+dev/random/hash.c		optional random random_yarrow | random !random_dummy
 dev/rc/rc.c			optional rc
 dev/re/if_re.c			optional re
 dev/rl/if_rl.c			optional rl pci

Modified: head/sys/conf/options
==============================================================================
--- head/sys/conf/options	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/conf/options	Tue Jun 30 17:00:45 2015	(r284959)
@@ -939,9 +939,16 @@ RACCT_DEFAULT_TO_DISABLED	opt_global.h
 RCTL		opt_global.h
 
 # Random number generator(s)
+# The DEBUG option is in global.h as the random harvesting
+# puts probes all over the place, and it makes little sense
+# to pollute these headers with an extra include.
+# the DUMMY option is in global.h because it is used to
+# turn off harvesting all over the kernel.
+RANDOM_DEBUG	opt_global.h
+# Which CSPRNG hashes we get.
+# These are mutually exclusive. With neither, Fortuna is selected.
+RANDOM_DUMMY	opt_global.h
 RANDOM_YARROW	opt_random.h
-RANDOM_FORTUNA	opt_random.h
-RANDOM_DEBUG	opt_random.h
 
 # Intel em(4) driver
 EM_MULTIQUEUE	opt_em.h

Modified: head/sys/dev/glxsb/glxsb.c
==============================================================================
--- head/sys/dev/glxsb/glxsb.c	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/dev/glxsb/glxsb.c	Tue Jun 30 17:00:45 2015	(r284959)
@@ -476,7 +476,8 @@ glxsb_rnd(void *v)
 	if (status & SB_RNS_TRNG_VALID) {
 		value = bus_read_4(sc->sc_sr, SB_RANDOM_NUM);
 		/* feed with one uint32 */
-		random_harvest(&value, sizeof(value), 32/2, RANDOM_PURE_GLXSB);
+		/* MarkM: FIX!! Check that this does not swamp the harvester! */
+		random_harvest_queue(&value, sizeof(value), 32/2, RANDOM_PURE_GLXSB);
 	}
 
 	callout_reset(&sc->sc_rngco, sc->sc_rnghz, glxsb_rnd, sc);

Modified: head/sys/dev/hifn/hifn7751.c
==============================================================================
--- head/sys/dev/hifn/hifn7751.c	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/dev/hifn/hifn7751.c	Tue Jun 30 17:00:45 2015	(r284959)
@@ -258,7 +258,8 @@ hifn_partname(struct hifn_softc *sc)
 static void
 default_harvest(struct rndtest_state *rsp, void *buf, u_int count)
 {
-	random_harvest(buf, count, count*NBBY/2, RANDOM_PURE_HIFN);
+	/* MarkM: FIX!! Check that this does not swamp the harvester! */
+	random_harvest_queue(buf, count, count*NBBY/2, RANDOM_PURE_HIFN);
 }
 
 static u_int

Modified: head/sys/dev/random/build.sh
==============================================================================
--- head/sys/dev/random/build.sh	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/dev/random/build.sh	Tue Jun 30 17:00:45 2015	(r284959)
@@ -1,3 +1,29 @@
+#!/bin/sh
+#-
+# Copyright (c) 2013-2015 Mark R V Murray
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer
+#    in this position and unchanged.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
 # $FreeBSD$
 #
 # Basic script to build crude unit tests.
@@ -11,6 +37,7 @@ cc -g -O0 -pthread -DRANDOM_DEBUG -DRAND
 	../../crypto/rijndael/rijndael-alg-fst.c \
 	../../crypto/sha2/sha2.c \
 	../../crypto/sha2/sha256c.c \
+	-lz \
 	-o yunit_test
 cc -g -O0 -pthread -DRANDOM_DEBUG -DRANDOM_FORTUNA \
 	-I../.. -lstdthreads -Wall \
@@ -21,4 +48,5 @@ cc -g -O0 -pthread -DRANDOM_DEBUG -DRAND
 	../../crypto/rijndael/rijndael-alg-fst.c \
 	../../crypto/sha2/sha2.c \
 	../../crypto/sha2/sha256c.c \
+	-lz \
 	-o funit_test

Modified: head/sys/dev/random/fortuna.c
==============================================================================
--- head/sys/dev/random/fortuna.c	Tue Jun 30 16:26:13 2015	(r284958)
+++ head/sys/dev/random/fortuna.c	Tue Jun 30 17:00:45 2015	(r284959)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013-2014 Mark R V Murray
+ * Copyright (c) 2013-2015 Mark R V Murray
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -25,25 +25,24 @@
  *
  */
 
-/* This implementation of Fortuna is based on the descriptions found in
- * ISBN 0-471-22357-3 "Practical Cryptography" by Ferguson and Schneier
- * ("F&S").
- *
- * The above book is superseded by ISBN 978-0-470-47424-2 "Cryptography
- * Engineering" by Ferguson, Schneier and Kohno ("FS&K").  The code has
- * not yet fully caught up with FS&K.
+/*
+ * This implementation of Fortuna is based on the descriptions found in
+ * ISBN 978-0-470-47424-2 "Cryptography Engineering" by Ferguson, Schneier
+ * and Kohno ("FS&K").
  */
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#ifdef _KERNEL
-#include "opt_random.h"
+#include <sys/limits.h>
 
+#ifdef _KERNEL
 #include <sys/param.h>
 #include <sys/kernel.h>
+#include <sys/conf.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/random.h>
 #include <sys/sysctl.h>
@@ -56,13 +55,10 @@ __FBSDID("$FreeBSD$");
 
 #include <dev/random/hash.h>
 #include <dev/random/randomdev.h>
-#include <dev/random/random_adaptors.h>
 #include <dev/random/random_harvestq.h>
 #include <dev/random/uint128.h>
 #include <dev/random/fortuna.h>
 #else /* !_KERNEL */
-#include <sys/param.h>
-#include <sys/types.h>
 #include <inttypes.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -79,351 +75,405 @@ __FBSDID("$FreeBSD$");
 #include <dev/random/fortuna.h>
 #endif /* _KERNEL */
 
-#if !defined(RANDOM_YARROW) && !defined(RANDOM_FORTUNA)
-#define RANDOM_YARROW
-#elif defined(RANDOM_YARROW) && defined(RANDOM_FORTUNA)
-#error "Must define either RANDOM_YARROW or RANDOM_FORTUNA"
-#endif
-
-#if defined(RANDOM_FORTUNA)
-
-#define NPOOLS 32
-#define MINPOOLSIZE 64
-#define DEFPOOLSIZE 256
-#define MAXPOOLSIZE 65536
-
-/* This algorithm (and code) presumes that KEYSIZE is twice as large as BLOCKSIZE */
-CTASSERT(BLOCKSIZE == sizeof(uint128_t));
-CTASSERT(KEYSIZE == 2*BLOCKSIZE);
-
-/* This is the beastie that needs protecting. It contains all of the
- * state that we are excited about.
- * Exactly one is instantiated.
+/* Defined in FS&K */
+#define	RANDOM_FORTUNA_NPOOLS 32		/* The number of accumulation pools */
+#define	RANDOM_FORTUNA_DEFPOOLSIZE 64		/* The default pool size/length for a (re)seed */
+#define	RANDOM_FORTUNA_MAX_READ (1 << 20)	/* Max bytes in a single read */
+
+/*
+ * The allowable range of RANDOM_FORTUNA_DEFPOOLSIZE. The default value is above.
+ * Making RANDOM_FORTUNA_DEFPOOLSIZE too large will mean a long time between reseeds,
+ * and too small may compromise initial security but get faster reseeds.
+ */
+#define	RANDOM_FORTUNA_MINPOOLSIZE 16
+#define	RANDOM_FORTUNA_MAXPOOLSIZE UINT_MAX
+CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE);
+CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE);
+
+/* This algorithm (and code) presumes that RANDOM_KEYSIZE is twice as large as RANDOM_BLOCKSIZE */
+CTASSERT(RANDOM_BLOCKSIZE == sizeof(uint128_t));
+CTASSERT(RANDOM_KEYSIZE == 2*RANDOM_BLOCKSIZE);
+
+/*
+ * This is the beastie that needs protecting. It contains all of the
+ * state that we are excited about. Exactly one is instantiated.
  */
 static struct fortuna_state {
-	/* P_i */
-	struct pool {
-		u_int length;
-		struct randomdev_hash hash;
-	} pool[NPOOLS];
-
-	/* ReseedCnt */
-	u_int reseedcount;
-
-	/* C - 128 bits */
-	union {
-		uint8_t byte[BLOCKSIZE];
-		uint128_t whole;
-	} counter;
-
-	/* K */
-	struct randomdev_key key;
-
-	/* Extras */
-	u_int minpoolsize;
-
+	struct fs_pool {		/* P_i */
+		u_int fsp_length;	/* Only the first one is used by Fortuna */
+		struct randomdev_hash fsp_hash;
+	} fs_pool[RANDOM_FORTUNA_NPOOLS];
+	u_int fs_reseedcount;		/* ReseedCnt */
+	uint128_t fs_counter;		/* C */
+	struct randomdev_key fs_key;	/* K */
+	u_int fs_minpoolsize;		/* Extras */
 	/* Extras for the OS */
-
 #ifdef _KERNEL
 	/* For use when 'pacing' the reseeds */
-	sbintime_t lasttime;
+	sbintime_t fs_lasttime;
 #endif
+	/* Reseed lock */
+	mtx_t fs_mtx;
 } fortuna_state;
 
-/* The random_reseed_mtx mutex protects seeding and polling/blocking.  */
-static mtx_t random_reseed_mtx;
+#ifdef _KERNEL
+static struct sysctl_ctx_list random_clist;
+RANDOM_CHECK_UINT(fs_minpoolsize, RANDOM_FORTUNA_MINPOOLSIZE, RANDOM_FORTUNA_MAXPOOLSIZE);
+#else
+static uint8_t zero_region[RANDOM_ZERO_BLOCKSIZE];
+#endif
 
-static struct fortuna_start_cache {
-	uint8_t junk[PAGE_SIZE];
-	size_t length;
-	struct randomdev_hash hash;
-} fortuna_start_cache;
+static void random_fortuna_pre_read(void);
+static void random_fortuna_read(uint8_t *, u_int);
+static void random_fortuna_post_read(void);
+static void random_fortuna_write(uint8_t *, u_int);
+static void random_fortuna_reseed(void);
+static int random_fortuna_seeded(void);
+static void random_fortuna_process_event(struct harvest_event *);
 
 #ifdef _KERNEL
-static struct sysctl_ctx_list random_clist;
-RANDOM_CHECK_UINT(minpoolsize, MINPOOLSIZE, MAXPOOLSIZE);
+/* Interface to Adaptors system */
+struct random_algorithm random_alg_context = {
+	.ra_ident = "Fortuna",
+	.ra_pre_read = random_fortuna_pre_read,
+	.ra_read = random_fortuna_read,
+	.ra_post_read = random_fortuna_post_read,
+	.ra_write = random_fortuna_write,
+	.ra_reseed = random_fortuna_reseed,
+	.ra_seeded = random_fortuna_seeded,
+	.ra_event_processor = random_fortuna_process_event,
+	.ra_poolcount = RANDOM_FORTUNA_NPOOLS,
+};
 #endif
 
-void
-random_fortuna_init_alg(void)
+/* ARGSUSED */
+static void
+random_fortuna_init_alg(void *unused __unused)
 {
 	int i;
 #ifdef _KERNEL
 	struct sysctl_oid *random_fortuna_o;
 #endif
 
-	memset(fortuna_start_cache.junk, 0, sizeof(fortuna_start_cache.junk));
-	fortuna_start_cache.length = 0U;
-	randomdev_hash_init(&fortuna_start_cache.hash);
-
-	/* Set up a lock for the reseed process */
-#ifdef _KERNEL
-	mtx_init(&random_reseed_mtx, "reseed mutex", NULL, MTX_DEF);
-#else /* !_KERNEL */
-	mtx_init(&random_reseed_mtx, mtx_plain);
-#endif /* _KERNEL */
-
-#ifdef _KERNEL
-	/* Fortuna parameters. Do not adjust these unless you have
+	RANDOM_RESEED_INIT_LOCK();
+	/*
+	 * Fortuna parameters. Do not adjust these unless you have
 	 * have a very good clue about what they do!
 	 */
+	fortuna_state.fs_minpoolsize = RANDOM_FORTUNA_DEFPOOLSIZE;
+#ifdef _KERNEL
+	fortuna_state.fs_lasttime = 0;
 	random_fortuna_o = SYSCTL_ADD_NODE(&random_clist,
 		SYSCTL_STATIC_CHILDREN(_kern_random),
 		OID_AUTO, "fortuna", CTLFLAG_RW, 0,
 		"Fortuna Parameters");
-
 	SYSCTL_ADD_PROC(&random_clist,
 		SYSCTL_CHILDREN(random_fortuna_o), OID_AUTO,
-		"minpoolsize", CTLTYPE_UINT|CTLFLAG_RW,
-		&fortuna_state.minpoolsize, DEFPOOLSIZE,
-		random_check_uint_minpoolsize, "IU",
-		"Minimum pool size necessary to cause a reseed automatically");
-
-	fortuna_state.lasttime = 0U;
+		"minpoolsize", CTLTYPE_UINT | CTLFLAG_RWTUN,
+		&fortuna_state.fs_minpoolsize, RANDOM_FORTUNA_DEFPOOLSIZE,
+		random_check_uint_fs_minpoolsize, "IU",
+		"Minimum pool size necessary to cause a reseed");
+	KASSERT(fortuna_state.fs_minpoolsize > 0, ("random: Fortuna threshold must be > 0 at startup"));
 #endif
 
-	fortuna_state.minpoolsize = DEFPOOLSIZE;
-
-	/* F&S - InitializePRNG() */
-
-	/* F&S - P_i = \epsilon */
-	for (i = 0; i < NPOOLS; i++) {
-		randomdev_hash_init(&fortuna_state.pool[i].hash);
-		fortuna_state.pool[i].length = 0U;
+	/*-
+	 * FS&K - InitializePRNG()
+	 *      - P_i = \epsilon
+	 *      - ReseedCNT = 0
+	 */
+	for (i = 0; i < RANDOM_FORTUNA_NPOOLS; i++) {
+		randomdev_hash_init(&fortuna_state.fs_pool[i].fsp_hash);
+		fortuna_state.fs_pool[i].fsp_length = 0;
 	}
-
-	/* F&S - ReseedCNT = 0 */
-	fortuna_state.reseedcount = 0U;
-
-	/* F&S - InitializeGenerator() */
-
-	/* F&S - C = 0 */
-	uint128_clear(&fortuna_state.counter.whole);
-
-	/* F&S - K = 0 */
-	memset(&fortuna_state.key, 0, sizeof(fortuna_state.key));
+	fortuna_state.fs_reseedcount = 0;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506301700.t5UH0jPq001498>