1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
56  * Timer-based reseed interval growth factor and limit in seconds. (§ 3.2)
74  * normal round-robin allocation after each timer reseed. (§ 3.4)
82  * sources are assumed to provide high-quality random bytes.  Pull sources are
86  * design, low-quality sources push into some global ring buffer and then get
218 /* Useful for single-bit-per-source state. */
221 /* XXX Borrowed from not-yet-committed D22702. */
225 	    &(p)->__bits[__bitset_word((_s), (n))], (n)) != 0)
230 /* For special behavior on first-time entropy sources. (§ 3.1) */
233 /* For special behavior for high-entropy sources after a reseed. (§ 3.4) */
237 /* Entropy pools.  Lock order is ENT -> RNG(root) -> RNG(leaf). */
250  * Track number of bytes of entropy harvested from high-quality sources prior
252  * high-quality bytes were available and less if we had other good sources.  We
253  * want to provide always-on availability but don't necessarily have *any*
275 	return (fxrng_ent_char[src].entc_cls->entc_src_cls == FXRNG_HI);  in fxrng_hi_source()
279  * A racy check that this high-entropy source's event should contribute to
280  * pool0 on the basis of per-source byte count.  The check is racy for two
282  *   - Performance: The vast majority of the time, we've already taken 32 bytes
285  *   - Correctness: It's fine that the check is racy.  The failure modes are:
310 	src = event->he_source;  in fxrng_event_processor()
312 	ASSERT_DEBUG(event->he_size <= sizeof(event->he_entropy),  in fxrng_event_processor()
314 	    (unsigned)event->he_size, sizeof(event->he_entropy));  in fxrng_event_processor()
318 	 * for the first time.  We still harvest the counter entropy.  in fxrng_event_processor()
320 	first_time = event->he_size > 0 &&  in fxrng_event_processor()
324 		 * "The first time [any source] provides entropy, it is used to  in fxrng_event_processor()
334 		 * PRNG is unkeyed.  Instead, we collect pre-keying dynamic  in fxrng_event_processor()
339 		 * After initial keying, we do directly mix in first-time  in fxrng_event_processor()
342 		 * re-key with the first 256 bits of hash output.  in fxrng_event_processor()
362 		fxrng_hash_update(&fxent_pool[0], &event->he_somecounter,  in fxrng_event_processor()
363 		    sizeof(event->he_somecounter));  in fxrng_event_processor()
364 		fxrng_hash_update(&fxent_pool[0], event->he_entropy,  in fxrng_event_processor()
365 		    event->he_size);  in fxrng_event_processor()
369 			if (fxrng_preseed_ent <= ULONG_MAX - event->he_size)  in fxrng_event_processor()
370 				fxrng_preseed_ent += event->he_size;  in fxrng_event_processor()
381 	 * The first-32-byte tracking data in fxrng_reseed_seen is reset in  in fxrng_event_processor()
384 	first_32 = event->he_size > 0 &&  in fxrng_event_processor()
396 		rem = FXENT_HI_SRC_POOL0_BYTES - seen;  in fxrng_event_processor()
397 		rem = MIN(rem, event->he_size);  in fxrng_event_processor()
403 		 * round-robin'd across other pools.  in fxrng_event_processor()
406 		    ((uint8_t *)event->he_entropy) + event->he_size - rem,  in fxrng_event_processor()
408 		if (rem == event->he_size) {  in fxrng_event_processor()
409 			fxrng_hash_update(&fxent_pool[0], &event->he_somecounter,  in fxrng_event_processor()
410 			    sizeof(event->he_somecounter));  in fxrng_event_processor()
418 		 * timecounter to be round-robin'd with the remaining entropy.  in fxrng_event_processor()
420 		event->he_size -= rem;  in fxrng_event_processor()
429 	pool = event->he_destination % fxent_nactpools;  in fxrng_event_processor()
430 	fxrng_hash_update(&fxent_pool[pool], event->he_entropy,  in fxrng_event_processor()
431 	    event->he_size);  in fxrng_event_processor()
432 	fxrng_hash_update(&fxent_pool[pool], &event->he_somecounter,  in fxrng_event_processor()
433 	    sizeof(event->he_somecounter));  in fxrng_event_processor()
438 		if (fxrng_preseed_ent <= ULONG_MAX - event->he_size)  in fxrng_event_processor()
439 			fxrng_preseed_ent += event->he_size;  in fxrng_event_processor()
453  * (arc4random(9)) will blindly charge on with something almost certainly worse
462 	/* The vast majority of the time, we expect to already be seeded. */  in fxrng_alg_seeded()
475 	/* XXX Any one-off initial seeding goes here. */  in fxrng_alg_seeded()
494 		    &fxent_reseed_timer, -sbt, (sbt / 3), C_PREL(2));  in fxrng_alg_seeded()
500  * Timer-based reseeds and pool expansion.
518 	 * Collect entropy from pools 0..n-1 by concatenating the output hashes  in fxent_timer_reseed_npools()
588 		 * reseed from [0, i-1).  (§ 3.3)  in fxent_timer_reseed()
604 	    -sbt, (sbt / 3), C_PREL(2));  in fxent_timer_reseed()
620 		    &fxent_reseed_timer, -sbt, (sbt / 3), C_PREL(2));  in fxent_pool_timer_init()