Lines Matching +full:lock +full:- +full:step
1 /*-
3 * Copyright (c) 2013-2015 Mark R V Murray
31 * ISBN 978-0-470-47424-2 "Cryptography Engineering" by Ferguson, Schneier
41 #include <sys/lock.h>
62 #include <crypto/rijndael/rijndael-api-fst.h>
118 /* Reseed lock */
128 * 1. Concurrent full-rate devrandom readers can achieve similar throughput to
130 * non-concurrent design falls over at 2 readers).
137 * mutexes assume that a lock holder currently on CPU will release the lock
140 * (There is no reason rand_harvestq necessarily has to use the same lock as
144 * The concern is that the reduced lock scope might results in a less safe
145 * random(4) design. However, the reduced-lock scope design is still
149 * update the shared read-side state: C, the 128-bit counter; and K, the
155 * Under lock, we can save a copy of C on the stack, and increment the global C
158 * Still under lock, we can save a copy of the key K on the stack, and then
159 * perform the usual key erasure K' <- Keystream(C, K, ...). This does require
161 * global lock held, but that's all; none of the API keystream generation must
162 * be performed under lock.
172 * Status Quo fortuna_read() Reduced-scope locking
173 * ------------------------- ---------------------
176 * 1:Lock() 1:Lock()
182 * 1: <- Keystream 1: <1 block generated>
184 * 1: <1 block generated> 1: <- Keystream
186 * 1: <- Keystream
187 * 1: <- GenBytes()
191 * ------------------------------------------------
199 * 2:Lock() 2:Lock()
204 * 2: <- Keystream 2: <1 block generated>
206 * 2: <1 block generated> 2: <- Keystream
208 * 2: <- Keystream
209 * 2: <- GenBytes()
213 * ------------------------------------------------------
226 * 1: <- Keystream
227 * 1: <- GenBytes
233 * 2: <- Keystream
234 * 2: <- GenBytes
309 &fortuna_concurrent_read, 0, "If non-zero, enable " in random_fortuna_init_alg()
313 /*- in random_fortuna_init_alg()
314 * FS&K - InitializePRNG() in random_fortuna_init_alg()
315 * - P_i = \epsilon in random_fortuna_init_alg()
316 * - ReseedCNT = 0 in random_fortuna_init_alg()
323 /*- in random_fortuna_init_alg()
324 * FS&K - InitializeGenerator() in random_fortuna_init_alg()
325 * - C = 0 in random_fortuna_init_alg()
326 * - K = 0 in random_fortuna_init_alg()
334 /*-
335 * FS&K - AddRandomEvent()
345 * Run SP 800-90B health tests on the source if so configured. in random_fortuna_process_event()
351 /*- in random_fortuna_process_event()
352 * FS&K - P_i = P_i|<harvested stuff> in random_fortuna_process_event()
362 pl = event->he_destination % RANDOM_FORTUNA_NPOOLS; in random_fortuna_process_event()
368 if (event->he_source == RANDOM_PURE_VMGENID) in random_fortuna_process_event()
373 * conducting SP800-90B entropy analysis measurements of seed material in random_fortuna_process_event()
375 * -- wdf in random_fortuna_process_event()
377 KASSERT(event->he_size <= sizeof(event->he_entropy), in random_fortuna_process_event()
378 ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n", in random_fortuna_process_event()
379 __func__, event->he_size, sizeof(event->he_entropy))); in random_fortuna_process_event()
381 &event->he_somecounter, sizeof(event->he_somecounter)); in random_fortuna_process_event()
383 event->he_entropy, event->he_size); in random_fortuna_process_event()
385 /*- in random_fortuna_process_event()
392 sizeof(event->he_somecounter) + event->he_size); in random_fortuna_process_event()
396 /*-
397 * FS&K - Reseed()
423 /*- in random_fortuna_reseed_internal()
424 * FS&K - K = Hd(K|s) where Hd(m) is H(H(0^512|m)) in random_fortuna_reseed_internal()
425 * - C = C + 1 in random_fortuna_reseed_internal()
444 /*-
445 * FS&K - RandomData() (Part 1)
464 /* FS&K - Use 'getsbinuptime()' to prevent reseed-spamming. */ in random_fortuna_pre_read()
471 * FS&K - Use 'getsbinuptime()' to prevent reseed-spamming, but do in random_fortuna_pre_read()
475 now - fortuna_state.fs_lasttime <= SBT_1S/10) in random_fortuna_pre_read()
498 /* FS&K - ReseedCNT = ReseedCNT + 1 */ in random_fortuna_pre_read()
502 /* FS&K - if Divides(ReseedCnt, 2^i) ... */ in random_fortuna_pre_read()
504 /*- in random_fortuna_pre_read()
505 * FS&K - temp = (P_i) in random_fortuna_pre_read()
506 * - P_i = \epsilon in random_fortuna_pre_read()
507 * - s = s|H(temp) in random_fortuna_pre_read()
535 * 1. Chacha20 is tolerant of non-block-multiple request sizes, so we do not
539 * 2. Chacha20 is a 512-bit block size cipher (whereas AES has 128-bit block
540 * size, regardless of key size). This means Chacha does not require re-keying
542 * explicitly in the conclusion, "If we had a block cipher with a 256-bit [or
547 * at a time before dropping the lock, to not bully the lock especially. This
572 * don't have to worry about rekeying Chacha; API is byte-oriented. in random_fortuna_genbytes()
581 * While holding the global lock, limit PRF generation to in random_fortuna_genbytes()
587 * 128-bit block ciphers like AES must be re-keyed at 1MB in random_fortuna_genbytes()
589 * from true random data (FS&K 9.4, p. 143-144). in random_fortuna_genbytes()
603 bytecount -= chunk_size; in random_fortuna_genbytes()
623 * If we're holding the global lock, yield it briefly in random_fortuna_genbytes()
660 * In locked mode, re-key global K before dropping the lock, which we in random_fortuna_genbytes()
677 * Handle only "concurrency-enabled" Fortuna reads to simplify logic.
694 * We will step the global counter 'C' by this number under lock, and in random_fortuna_read_concurrent()
695 * then actually consume the counter values outside the lock. in random_fortuna_read_concurrent()
725 * Step the counter as if we had generated 'bytecount' blocks for this in random_fortuna_read_concurrent()
727 * range of counter values once we drop the global lock. in random_fortuna_read_concurrent()
734 * 'randomdev_keystream()' will step the fs_counter 'C' appropriately in random_fortuna_read_concurrent()
757 /*-
758 * FS&K - RandomData() (Part 2)
792 "If non-zero, pretend Fortuna is in an unseeded state. By setting "
817 * kicked the initial seed step. Do so now. in random_fortuna_seeded()