Lines Matching +full:lock +full:- +full:step
1 /*-
3 * Copyright (c) 2013-2015 Mark R V Murray
31 * ISBN 978-0-470-47424-2 "Cryptography Engineering" by Ferguson, Schneier
41 #include <sys/lock.h>
62 #include <crypto/rijndael/rijndael-api-fst.h>
118 /* Reseed lock */
128 * 1. Concurrent full-rate devrandom readers can achieve similar throughput to
130 * non-concurrent design falls over at 2 readers).
137 * mutexes assume that a lock holder currently on CPU will release the lock
140 * (There is no reason rand_harvestq necessarily has to use the same lock as
144 * The concern is that the reduced lock scope might results in a less safe
145 * random(4) design. However, the reduced-lock scope design is still
149 * update the shared read-side state: C, the 128-bit counter; and K, the
155 * Under lock, we can save a copy of C on the stack, and increment the global C
158 * Still under lock, we can save a copy of the key K on the stack, and then
159 * perform the usual key erasure K' <- Keystream(C, K, ...). This does require
161 * global lock held, but that's all; none of the API keystream generation must
162 * be performed under lock.
172 * Status Quo fortuna_read() Reduced-scope locking
173 * ------------------------- ---------------------
176 * 1:Lock() 1:Lock()
182 * 1: <- Keystream 1: <1 block generated>
184 * 1: <1 block generated> 1: <- Keystream
186 * 1: <- Keystream
187 * 1: <- GenBytes()
191 * ------------------------------------------------
199 * 2:Lock() 2:Lock()
204 * 2: <- Keystream 2: <1 block generated>
206 * 2: <1 block generated> 2: <- Keystream
208 * 2: <- Keystream
209 * 2: <- GenBytes()
213 * ------------------------------------------------------
226 * 1: <- Keystream
227 * 1: <- GenBytes
233 * 2: <- Keystream
234 * 2: <- GenBytes
309 &fortuna_concurrent_read, 0, "If non-zero, enable "
313 /*-
314 * FS&K - InitializePRNG()
315 * - P_i = \epsilon
316 * - ReseedCNT = 0
323 /*-
324 * FS&K - InitializeGenerator()
325 * - C = 0
326 * - K = 0
334 /*-
335 * FS&K - AddRandomEvent()
344 /*-
345 * FS&K - P_i = P_i|<harvested stuff>
355 pl = event->he_destination % RANDOM_FORTUNA_NPOOLS;
361 if (event->he_source == RANDOM_PURE_VMGENID)
366 * conducting SP800-90B entropy analysis measurements of seed material
368 * -- wdf
370 KASSERT(event->he_size <= sizeof(event->he_entropy),
371 ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n",
372 __func__, event->he_size, sizeof(event->he_entropy)));
374 &event->he_somecounter, sizeof(event->he_somecounter));
376 event->he_entropy, event->he_size);
378 /*-
385 sizeof(event->he_somecounter) + event->he_size);
389 /*-
390 * FS&K - Reseed()
416 /*-
417 * FS&K - K = Hd(K|s) where Hd(m) is H(H(0^512|m))
418 * - C = C + 1
437 /*-
438 * FS&K - RandomData() (Part 1)
457 /* FS&K - Use 'getsbinuptime()' to prevent reseed-spamming. */
464 * FS&K - Use 'getsbinuptime()' to prevent reseed-spamming, but do
468 now - fortuna_state.fs_lasttime <= SBT_1S/10)
491 /* FS&K - ReseedCNT = ReseedCNT + 1 */
495 /* FS&K - if Divides(ReseedCnt, 2^i) ... */
497 /*-
498 * FS&K - temp = (P_i)
499 * - P_i = \epsilon
500 * - s = s|H(temp)
528 * 1. Chacha20 is tolerant of non-block-multiple request sizes, so we do not
532 * 2. Chacha20 is a 512-bit block size cipher (whereas AES has 128-bit block
533 * size, regardless of key size). This means Chacha does not require re-keying
535 * explicitly in the conclusion, "If we had a block cipher with a 256-bit [or
540 * at a time before dropping the lock, to not bully the lock especially. This
565 * don't have to worry about rekeying Chacha; API is byte-oriented.
574 * While holding the global lock, limit PRF generation to
580 * 128-bit block ciphers like AES must be re-keyed at 1MB
582 * from true random data (FS&K 9.4, p. 143-144).
596 bytecount -= chunk_size;
616 * If we're holding the global lock, yield it briefly
653 * In locked mode, re-key global K before dropping the lock, which we
670 * Handle only "concurrency-enabled" Fortuna reads to simplify logic.
687 * We will step the global counter 'C' by this number under lock, and
688 * then actually consume the counter values outside the lock.
718 * Step the counter as if we had generated 'bytecount' blocks for this
720 * range of counter values once we drop the global lock.
727 * 'randomdev_keystream()' will step the fs_counter 'C' appropriately
750 /*-
751 * FS&K - RandomData() (Part 2)
785 "If non-zero, pretend Fortuna is in an unseeded state. By setting "
810 * kicked the initial seed step. Do so now.