Lines Matching +full:lock +full:- +full:less
1 /*-
3 * Copyright (c) 2013-2015 Mark R V Murray
31 * ISBN 978-0-470-47424-2 "Cryptography Engineering" by Ferguson, Schneier
41 #include <sys/lock.h>
62 #include <crypto/rijndael/rijndael-api-fst.h>
118 /* Reseed lock */
128 * 1. Concurrent full-rate devrandom readers can achieve similar throughput to
130 * non-concurrent design falls over at 2 readers).
132 * 2. The rand_harvestq process spends much less time spinning when one or more
137 * mutexes assume that a lock holder currently on CPU will release the lock
140 * (There is no reason rand_harvestq necessarily has to use the same lock as
144 * The concern is that the reduced lock scope might results in a less safe
145 * random(4) design. However, the reduced-lock scope design is still
149 * update the shared read-side state: C, the 128-bit counter; and K, the
155 * Under lock, we can save a copy of C on the stack, and increment the global C
158 * Still under lock, we can save a copy of the key K on the stack, and then
159 * perform the usual key erasure K' <- Keystream(C, K, ...). This does require
161 * global lock held, but that's all; none of the API keystream generation must
162 * be performed under lock.
167 * native blocks, and the keysize happens to be equal or less to the native
172 * Status Quo fortuna_read() Reduced-scope locking
173 * ------------------------- ---------------------
176 * 1:Lock() 1:Lock()
182 * 1: <- Keystream 1: <1 block generated>
184 * 1: <1 block generated> 1: <- Keystream
186 * 1: <- Keystream
187 * 1: <- GenBytes()
191 * ------------------------------------------------
199 * 2:Lock() 2:Lock()
204 * 2: <- Keystream 2: <1 block generated>
206 * 2: <1 block generated> 2: <- Keystream
208 * 2: <- Keystream
209 * 2: <- GenBytes()
213 * ------------------------------------------------------
226 * 1: <- Keystream
227 * 1: <- GenBytes
233 * 2: <- Keystream
234 * 2: <- GenBytes
309 &fortuna_concurrent_read, 0, "If non-zero, enable " in random_fortuna_init_alg()
313 /*- in random_fortuna_init_alg()
314 * FS&K - InitializePRNG() in random_fortuna_init_alg()
315 * - P_i = \epsilon in random_fortuna_init_alg()
316 * - ReseedCNT = 0 in random_fortuna_init_alg()
323 /*- in random_fortuna_init_alg()
324 * FS&K - InitializeGenerator() in random_fortuna_init_alg()
325 * - C = 0 in random_fortuna_init_alg()
326 * - K = 0 in random_fortuna_init_alg()
334 /*-
335 * FS&K - AddRandomEvent()
344 /*- in random_fortuna_process_event()
345 * FS&K - P_i = P_i|<harvested stuff> in random_fortuna_process_event()
355 pl = event->he_destination % RANDOM_FORTUNA_NPOOLS; in random_fortuna_process_event()
361 if (event->he_source == RANDOM_PURE_VMGENID) in random_fortuna_process_event()
366 * conducting SP800-90B entropy analysis measurements of seed material in random_fortuna_process_event()
368 * -- wdf in random_fortuna_process_event()
370 KASSERT(event->he_size <= sizeof(event->he_entropy), in random_fortuna_process_event()
371 ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n", in random_fortuna_process_event()
372 __func__, event->he_size, sizeof(event->he_entropy))); in random_fortuna_process_event()
374 &event->he_somecounter, sizeof(event->he_somecounter)); in random_fortuna_process_event()
376 event->he_entropy, event->he_size); in random_fortuna_process_event()
378 /*- in random_fortuna_process_event()
385 sizeof(event->he_somecounter) + event->he_size); in random_fortuna_process_event()
389 /*-
390 * FS&K - Reseed()
416 /*- in random_fortuna_reseed_internal()
417 * FS&K - K = Hd(K|s) where Hd(m) is H(H(0^512|m)) in random_fortuna_reseed_internal()
418 * - C = C + 1 in random_fortuna_reseed_internal()
437 /*-
438 * FS&K - RandomData() (Part 1)
457 /* FS&K - Use 'getsbinuptime()' to prevent reseed-spamming. */ in random_fortuna_pre_read()
464 * FS&K - Use 'getsbinuptime()' to prevent reseed-spamming, but do in random_fortuna_pre_read()
468 now - fortuna_state.fs_lasttime <= SBT_1S/10) in random_fortuna_pre_read()
491 /* FS&K - ReseedCNT = ReseedCNT + 1 */ in random_fortuna_pre_read()
495 /* FS&K - if Divides(ReseedCnt, 2^i) ... */ in random_fortuna_pre_read()
497 /*- in random_fortuna_pre_read()
498 * FS&K - temp = (P_i) in random_fortuna_pre_read()
499 * - P_i = \epsilon in random_fortuna_pre_read()
500 * - s = s|H(temp) in random_fortuna_pre_read()
528 * 1. Chacha20 is tolerant of non-block-multiple request sizes, so we do not
532 * 2. Chacha20 is a 512-bit block size cipher (whereas AES has 128-bit block
533 * size, regardless of key size). This means Chacha does not require re-keying
535 * explicitly in the conclusion, "If we had a block cipher with a 256-bit [or
540 * at a time before dropping the lock, to not bully the lock especially. This
565 * don't have to worry about rekeying Chacha; API is byte-oriented. in random_fortuna_genbytes()
574 * While holding the global lock, limit PRF generation to in random_fortuna_genbytes()
580 * 128-bit block ciphers like AES must be re-keyed at 1MB in random_fortuna_genbytes()
582 * from true random data (FS&K 9.4, p. 143-144). in random_fortuna_genbytes()
596 bytecount -= chunk_size; in random_fortuna_genbytes()
616 * If we're holding the global lock, yield it briefly in random_fortuna_genbytes()
653 * In locked mode, re-key global K before dropping the lock, which we in random_fortuna_genbytes()
670 * Handle only "concurrency-enabled" Fortuna reads to simplify logic.
687 * We will step the global counter 'C' by this number under lock, and in random_fortuna_read_concurrent()
688 * then actually consume the counter values outside the lock. in random_fortuna_read_concurrent()
720 * range of counter values once we drop the global lock. in random_fortuna_read_concurrent()
750 /*-
751 * FS&K - RandomData() (Part 2)
785 "If non-zero, pretend Fortuna is in an unseeded state. By setting "