]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a8e7a31) | patch
random(4): Generalize algorithm-independent APIs
authorcem <cem@FreeBSD.org>
Mon, 17 Jun 2019 15:09:12 +0000 (15:09 +0000)
committercem <cem@FreeBSD.org>
Mon, 17 Jun 2019 15:09:12 +0000 (15:09 +0000)
commita94613570db6baf5b7d91341e4e9f07e3ca5b70b
tree6711002801eb337fc72e48e69cb253128e401a2atree | snapshot
parenta8e7a312c6c1bc36745a0dfab9ae767a65862299commit | diff
random(4): Generalize algorithm-independent APIs

At a basic level, remove assumptions about the underlying algorithm (such as
output block size and reseeding requirements) from the algorithm-independent
logic in randomdev.c.  Chacha20 does not have many of the restrictions that
AES-ICM does as a PRF (Pseudo-Random Function), because it has a cipher
block size of 512 bits.  The motivation is that by generalizing the API,
Chacha is not penalized by the limitations of AES.

In READ_RANDOM_UIO, first attempt to NOWAIT allocate a large enough buffer
for the entire user request, or the maximal input we'll accept between
signal checking, whichever is smaller.  The idea is that the implementation
of any randomdev algorithm is then free to divide up large requests in
whatever fashion it sees fit.

As part of this, two responsibilities from the "algorithm-generic" randomdev
code are pushed down into the Fortuna ra_read implementation (and any other
future or out-of-tree ra_read implementations):

  1. If an algorithm needs to rekey every N bytes, it is responsible for
  handling that in ra_read(). (I.e., Fortuna's 1MB rekey interval for AES
  block generation.)

  2. If an algorithm uses a block cipher that doesn't tolerate partial-block
  requests (again, e.g., AES), it is also responsible for handling that in
  ra_read().

Several APIs are changed from u_int buffer length to the more canonical
size_t.  Several APIs are changed from taking a blockcount to a bytecount,
to permit PRFs like Chacha20 to directly generate quantities of output that
are not multiples of RANDOM_BLOCKSIZE (AES block size).

The Fortuna algorithm is changed to NOT rekey every 1MiB when in Chacha20
mode (kern.random.use_chacha20_cipher="1").  This is explicitly supported by
the math in FS&K ยง9.4 (Ferguson, Schneier, and Kohno; "Cryptography
Engineering"), as well as by their conclusion: "If we had a block cipher
with a 256-bit [or greater] block size, then the collisions would not
have been an issue at all."

For now, continue to break up reads into PAGE_SIZE chunks, as they were
before.  So, no functional change, mostly.

Reviewed by: markm
Approved by: secteam(delphij)
Differential Revision: https://reviews.freebsd.org/D20312
sys/dev/random/fortuna.c diff | blob | history
sys/dev/random/hash.c diff | blob | history
sys/dev/random/hash.h diff | blob | history
sys/dev/random/other_algorithm.c diff | blob | history
sys/dev/random/randomdev.c diff | blob | history
sys/dev/random/randomdev.h diff | blob | history
tests/sys/devrandom/uint128_test.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.