Now
MAIN commitmail json YAML
src/share/man/man4/rnd.4@1.17
/
diff
/
nxr@1.17
src/share/man/man9/cprng.9@1.4 / diff / nxr@1.4
src/share/man/man9/rnd.9@1.19 / diff / nxr@1.19
src/sys/conf/files@1.1033 / diff / nxr@1.1033
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h@1.2 / diff / nxr@1.2
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h@1.2 / diff / nxr@1.2
src/sys/dev/iscsi/iscsi_text.c@1.3 / diff / nxr@1.3
src/sys/dev/rnd.c@1.89 / diff / nxr@1.89
src/sys/dev/rndpool.c@1.22 / diff / nxr@1.22
src/sys/dev/rndpseudo.c@1.1 / diff / nxr@1.1
src/sys/dist/pf/netinet/tcp_rndiss.c@1.4 / diff / nxr@1.4
src/sys/kern/init_sysctl.c@1.186 / diff / nxr@1.186
src/sys/kern/subr_cprng.c@1.5 / diff / nxr@1.5
src/sys/net/if_spppsubr.c@1.125 / diff / nxr@1.125
src/sys/netinet/tcp_subr.c@1.244 / diff / nxr@1.244
src/sys/rump/dev/lib/librnd/Makefile@1.3 / diff / nxr@1.3
src/sys/rump/librump/rumpkern/cprng_stub.c@1.4 / diff / nxr@1.4
src/sys/sys/cprng.h@1.4 / diff / nxr@1.4
src/sys/sys/param.h@1.398 / diff / nxr@1.398
src/sys/sys/rnd.h@1.28 / diff / nxr@1.28
src/share/man/man9/cprng.9@1.4 / diff / nxr@1.4
src/share/man/man9/rnd.9@1.19 / diff / nxr@1.19
src/sys/conf/files@1.1033 / diff / nxr@1.1033
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h@1.2 / diff / nxr@1.2
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h@1.2 / diff / nxr@1.2
src/sys/dev/iscsi/iscsi_text.c@1.3 / diff / nxr@1.3
src/sys/dev/rnd.c@1.89 / diff / nxr@1.89
src/sys/dev/rndpool.c@1.22 / diff / nxr@1.22
src/sys/dev/rndpseudo.c@1.1 / diff / nxr@1.1
src/sys/dist/pf/netinet/tcp_rndiss.c@1.4 / diff / nxr@1.4
src/sys/kern/init_sysctl.c@1.186 / diff / nxr@1.186
src/sys/kern/subr_cprng.c@1.5 / diff / nxr@1.5
src/sys/net/if_spppsubr.c@1.125 / diff / nxr@1.125
src/sys/netinet/tcp_subr.c@1.244 / diff / nxr@1.244
src/sys/rump/dev/lib/librnd/Makefile@1.3 / diff / nxr@1.3
src/sys/rump/librump/rumpkern/cprng_stub.c@1.4 / diff / nxr@1.4
src/sys/sys/cprng.h@1.4 / diff / nxr@1.4
src/sys/sys/param.h@1.398 / diff / nxr@1.398
src/sys/sys/rnd.h@1.28 / diff / nxr@1.28
Separate /dev/random pseudodevice implemenation from kernel entropy pool
implementation. Rewrite pseudodevice code to use cprng_strong(9).
The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key. Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.
The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256. This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.
Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.
For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved. For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.
implementation. Rewrite pseudodevice code to use cprng_strong(9).
The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key. Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.
The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256. This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.
Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.
For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved. For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.