RND(4) | NetBSD Kernel Interfaces Manual | RND(4) |
If any of these differentials is zero, no entropy is assumed to have been gathered. If all are non-zero, one bit is assumed. Next, data is mixed into the entropy pool using an LFSR (linear feedback shift register).
To extract data from the entropy pool, a cryptographically strong hash function is used. The output of this hash is mixed back into the pool using the LFSR, and then folded in half before being returned to the caller.
Mixing the actual hash into the pool causes the next extraction to return a different value, even if no timing events were added to the pool. Folding the data in half prevents the caller to derive the actual hash of the pool, preventing some attacks.
Reading from /dev/random will only return values while sufficient entropy exists in the internal pool. When sufficient entropy does not exist, EAGAIN is returned for non-blocking reads, or the read will block for blocking reads.
Reading from /dev/urandom will return as many values as requested, even when the entropy pool is empty. This data is not as good as reading from /dev/random since when the pool is empty, data is still returned, degenerating to a pseudo-random generator.
Writing to either device will mix the data written into the pool using the LFSR as above, without modifying the entropy estimation for the pool.
typedef struct { char name[16]; uint32_t last_time; uint32_t last_delta; uint32_t last_delta2; uint32_t total; uint32_t type; uint32_t flags; } rndsource_t;
This structure holds the internal representation of a device's timing state. The name field holes the device name, as known to the kernel. The last_time entry is the timestamp of the last time this device generated an event. It is for internal use only, and not in any specific representation. The last_delta and last_delta2 fields hold the last first- and second-order deltas. The total field holds a count of how many bits this device has potentially generated. This is not the same as how many bits were used from it. The type field holds the device type.
Currently, these types are defined:
flags is a bitfield.
typedef struct { uint32_t poolsize; uint32_t threshold; uint32_t maxentropy; uint32_t added; uint32_t curentropy; uint32_t removed; uint32_t discarded; uint32_t generated; } rndpoolstat_t;
Return statistics on the current state of the random collection pool.
typedef struct { uint32_t start; uint32_t count; rndsource_t source[RND_MAXSTATCOUNT]; } rndstat_t;
Return data for sources, starting at start and returning at most count sources.
The values returned are actual in-kernel snapshots of the entropy status for devices. Leaking the internal timing information will weaken security.
typedef struct { char name[16]; rndsource_t source; } rndstat_name_t;
Return the device state for a named device.
typedef struct { char name[16]; uint32_t type; uint32_t flags; uint32_t mask; } rndctl_t;
Change bits in the device state information. If type is 0xff, only the device name stored in name is used. If it is any other value, all devices of type type are altered. This allows all network interfaces to be disabled for entropy collection with one call, for example. The flags and mask work together to change flag bits. The mask field specifies which bits in flags are to be set or cleared.
typedef struct { uint32_t len; uint32_t entropy; u_char data[RND_POOLWORDS * 4]; } rnddata_t;
February 22, 2009 | NetBSD 5.99 |