Wed Mar 18 08:03:27 2015 UTC ()

Pull up following revision(s) (requested by riastradh in ticket #605):
	share/man/man9/cprng.9: revision 1.10
Clarify advice about when to use what parts of cprng(9).
Add security model to specify the difference between cprng_strong and
cprng_fast.
Fix code references.  cprng_fast now uses ChaCha8, not RC4.
XXX Would have been nice if they had been called cprng and cprng_weak
to reduce confusion about which one to use, or even random and
weakrandom.  Too late for that now, though.


(snj)

diff -r1.9 -r1.9.4.1 src/share/man/man9/cprng.9

--- src/share/man/man9/cprng.9 2014/03/18 18:20:40	1.9
+++ src/share/man/man9/cprng.9 2015/03/18 08:03:27	1.9.4.1

 @@ -1,43 +1,43 @@
-.\"	$NetBSD: cprng.9,v 1.9 2014/03/18 18:20:40 riastradh Exp $
+.\"	$NetBSD: cprng.9,v 1.9.4.1 2015/03/18 08:03:27 snj Exp $
 .\"
-.\" Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This code is derived from software contributed to The NetBSD Foundation
 .\" by Thor Lancelot Simon and Taylor R. Campbell.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 .\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 18, 2013
+.Dd February 19, 2015
 .Dt CPRNG 9
 .Os
 .Sh NAME
 .Nm cprng ,
 .Nm cprng_strong_create ,
 .Nm cprng_strong_destroy ,
 .Nm cprng_strong ,
 .Nm cprng_strong32 ,
 .Nm cprng_strong64 ,
 .Nm cprng_fast ,
 .Nm cprng_fast32 ,
 .Nm cprng_fast64 ,
 .Nd cryptographic pseudorandom number generators
 @@ -57,74 +57,77 @@
 .Fn cprng_fast "void *buf" "size_t len"
 .Ft uint32_t
 .Fn cprng_fast32 "void"
 .Ft uint32_t
 .Fn cprng_fast64 "void"
 .Bd -literal
 #define CPRNG_MAX_LEN   524288
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
 family of functions provide cryptographic pseudorandom number
 generators automatically seeded from the kernel entropy pool.
-They replace the
+All applications in the kernel requiring random data or random choices
-.Xr arc4random 9
+should use the
-and
+.Nm cprng_strong
-.Xr rnd_extract_data 9
+family of functions, unless performance constraints demand otherwise.
 functions for this purpose.
 The
 .Nx
 kernel no longer supports direct reading from the kernel entropy pool; all
 access is mediated by the
 .Nm
 functions.
 .Pp
 The
-.Dq strong
+.Nm cprng_fast
-family of functions use cryptographically strong pseudorandom number
+family of functions may be used in applications that can tolerate
-generators suitable for keying crypto systems and similar purposes.
+exposure of past random data, such as initialization vectors or
-Calls to
+transaction ids that are sent over the internet anyway, if the
-.Xr rnd_extract_data 9
+applications require higher throughput or lower per-request latency
-should be replaced by calls to
+than the
-.Fn cprng_strong .
+.Nm cprng_strong
-.Pp
+family of functions provide.
-The
+If in doubt, choose
-.Dq fast
+.Nm cprng_strong .
 family of functions use cryptographically weaker pseudorandom number
 generators suitable for initialization vectors, nonces in certain
 protocols, and other similar purposes, using a faster but less secure
 stream-cipher-based generator.
 Calls to
 .Xr arc4random 9
 should be replaced by calls to
 .Fn cprng_fast32 ,
 and calls to
 .Xr arc4randbytes 9
 should be replaced by calls to
 .Fn cprng_fast .
 .Pp
 A single instance of the fast generator serves the entire kernel.
 A well-known instance of the strong generator,
 .Dv kern_cprng ,
 may be used by any in-kernel caller, but separately seeded instances of
 the strong generator can also be created by calling
 .Fn cprng_strong_create .
 .Pp
 The
 .Nm
 functions may be used at interrupt priority level
 .Dv IPL_VM
 or below,
 except for
 .Fn cprng_strong_create
 and
 .Fn cprng_strong_destroy
 which are allowed only at
 .Dv IPL_NONE ;
 see
 .Xr spl 9 .
 .Pp
 The
 .Nm
 functions replace the legacy
 .Xr arc4random 9
 and
 .Xr rnd_extract_data 9
 functions.
 .Sh FUNCTIONS
 .Bl -tag -width abcd
 .It Fn cprng_strong_create "name" "ipl" "flags"
 Create an instance of the cprng_strong generator.
-This generator implements the NIST SP 800-90 CTR_DRBG with AES128 as
+This generator currently implements the NIST SP 800-90A CTR_DRBG with
-the block transform.
+AES-128 as the block transform.
 .Pp
 The
 .Fa name
 argument is used to
 .Dq personalize
 the CTR_DRBG according to the standard, so that its initial state will
 depend both on seed material from the entropy pool and also on the
 personalization string (name).
 .Pp
 The
 .Fa ipl
 argument specifies the interrupt priority level for the mutex which
 will serialize access to the new instance of the generator (see
 @@ -247,41 +250,78 @@ bytes from the fast generator.
 .Fn cprng_fast
 does not sleep.
 .It Fn cprng_fast32
 Generate 32 bits using the fast generator.
 .Pp
 .Fn cprng_fast32
 does not sleep.
 .It Fn cprng_fast64
 Generate 64 bits using the fast generator.
 .Pp
 .Fn cprng_fast64
 does not sleep.
 .El
 .Sh SECURITY MODEL
 The
 .Nm
 family of functions provide the following security properties:
 .Bl -bullet -offset abcd
 .It
 An attacker who has seen some outputs of any of the
 .Nm
 functions cannot predict past or future unseen outputs.
 .It
 An attacker who has compromised kernel memory cannot predict past
 outputs of the
 .Nm cprng_strong
 functions.
 However, such an attacker may be able to predict past outputs of the
 .Nm cprng_fast
 functions.
 .El
 .Pp
 The second property is sometimes called
 .Dq backtracking resistance ,
 .Dq forward secrecy ,
 or
 .Dq key erasure
 in the cryptography literature.
 The
 .Nm cprng_strong
 functions provide backtracking resistance;
 the
 .Nm cprng_fast
 functions do not.
 .Sh CODE REFERENCES
 The cprng API is implemented by
 .Pa sys/kern/subr_cprng.c
 and
 .Pa sys/sys/cprng.h .
 The
-.Dq strong
+.Nm cprng_strong
-generator uses the CTR_DRBG implementation in
+functions are implemented in
 .Pa sys/kern/subr_cprng.c ,
 and use the NIST SP 800-90A CTR_DRBG implementation in
 .Pa sys/crypto/nist_ctr_drbg .
 The
-.Dq fast
+.Nm cprng_fast
-generator uses the arc4random implementation in
+functions are implemented in
-.Pa sys/lib/libkern/arc4random.c .
+.Pa sys/crypto/cprng_fast/cprng_fast.c ,
 and use the ChaCha8 stream cipher.
 .Sh SEE ALSO
 .Xr condvar 9 ,
 .Xr rnd 9 ,
 .Xr spl 9
 .Rs
 .%A Elaine Barker
 .%A John Kelsey
 .%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised)
 .%I National Institute of Standards and Technology
 .%D 2011
 .%O NIST Special Publication 800-90A, Rev 1
 .Re
 .Rs
 .%A Daniel J. Bernstein
 .%T ChaCha, a variant of Salsa20
 .%D 2008-01-28
 .%O Document ID: 4027b5256e17b9796842e6d0f68b0b5e
 .%U http://cr.yp.to/papers.html#chacha
 .Re
 .Sh HISTORY
 The cprng family of functions first appeared in
 .Nx 6.0 .