MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
Date: Sat, 17 Dec 2011 20:05:40 +0000
From: "Thor Lancelot Simon" <tls@netbsd.org>
Subject: CVS commit: src
To: source-changes@NetBSD.org
Message-Id: <20111217200540.B766E175DD@cvs.netbsd.org>
Sender: source-changes-owner@NetBSD.org
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Thor Lancelot Simon" <tls@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org

Module Name:	src
Committed By:	tls
Date:		Sat Dec 17 20:05:40 UTC 2011

Modified Files:
	src/share/man/man4: rnd.4
	src/share/man/man9: cprng.9 rnd.9
	src/sys/conf: files
	src/sys/crypto/nist_ctr_drbg: nist_ctr_drbg_aes128.h
	    nist_ctr_drbg_aes256.h
	src/sys/dev: rnd.c rndpool.c
	src/sys/dev/iscsi: iscsi_text.c
	src/sys/dist/pf/netinet: tcp_rndiss.c
	src/sys/kern: init_sysctl.c subr_cprng.c
	src/sys/net: if_spppsubr.c
	src/sys/netinet: tcp_subr.c
	src/sys/rump/dev/lib/librnd: Makefile
	src/sys/rump/librump/rumpkern: cprng_stub.c
	src/sys/sys: cprng.h param.h rnd.h
Added Files:
	src/sys/dev: rndpseudo.c

Log Message:
Separate /dev/random pseudodevice implemenation from kernel entropy pool
implementation.  Rewrite pseudodevice code to use cprng_strong(9).

The new pseudodevice is cloning, so each caller gets bits from a stream
generated with its own key.  Users of /dev/urandom get their generators
keyed on a "best effort" basis -- the kernel will rekey generators
whenever the entropy pool hits the high water mark -- while users of
/dev/random get their generators rekeyed every time key-length bits
are output.

The underlying cprng_strong API can use AES-256 or AES-128, but we use
AES-128 because of concerns about related-key attacks on AES-256.  This
improves performance (and reduces entropy pool depletion) significantly
for users of /dev/urandom but does cause users of /dev/random to rekey
twice as often.

Also fixes various bugs (including some missing locking and a reseed-counter
overflow in the CTR_DRBG code) found while testing this.

For long reads, this generator is approximately 20 times as fast as the
old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of
2.5MB/sec) and also uses a separate mutex per instance so concurrency
is greatly improved.  For reads of typical key sizes for modern
cryptosystems (16-32 bytes) performance is about the same as the old
code: a little better for 32 bytes, a little worse for 16 bytes.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/share/man/man4/rnd.4
cvs rdiff -u -r1.3 -r1.4 src/share/man/man9/cprng.9
cvs rdiff -u -r1.18 -r1.19 src/share/man/man9/rnd.9
cvs rdiff -u -r1.1032 -r1.1033 src/sys/conf/files
cvs rdiff -u -r1.1 -r1.2 src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h \
    src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h
cvs rdiff -u -r1.88 -r1.89 src/sys/dev/rnd.c
cvs rdiff -u -r1.21 -r1.22 src/sys/dev/rndpool.c
cvs rdiff -u -r0 -r1.1 src/sys/dev/rndpseudo.c
cvs rdiff -u -r1.2 -r1.3 src/sys/dev/iscsi/iscsi_text.c
cvs rdiff -u -r1.3 -r1.4 src/sys/dist/pf/netinet/tcp_rndiss.c
cvs rdiff -u -r1.185 -r1.186 src/sys/kern/init_sysctl.c
cvs rdiff -u -r1.4 -r1.5 src/sys/kern/subr_cprng.c
cvs rdiff -u -r1.124 -r1.125 src/sys/net/if_spppsubr.c
cvs rdiff -u -r1.243 -r1.244 src/sys/netinet/tcp_subr.c
cvs rdiff -u -r1.2 -r1.3 src/sys/rump/dev/lib/librnd/Makefile
cvs rdiff -u -r1.3 -r1.4 src/sys/rump/librump/rumpkern/cprng_stub.c
cvs rdiff -u -r1.3 -r1.4 src/sys/sys/cprng.h
cvs rdiff -u -r1.397 -r1.398 src/sys/sys/param.h
cvs rdiff -u -r1.27 -r1.28 src/sys/sys/rnd.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.