thirdparty/rng-tools.git
5 years agoRelease version 5. master v5
Jeff Garzik [Tue, 1 Apr 2014 05:03:31 +0000 (01:03 -0400)]
Release version 5.

5 years agordrand: Enable the RDSEED instruction
H. Peter Anvin [Tue, 4 Mar 2014 23:24:39 +0000 (15:24 -0800)]
rdrand: Enable the RDSEED instruction

Enable the use of the RDSEED instruction.  Since RDSEED can more
easily be starved of entropy due to use on other threads, allow it to
fall back to RDRAND by having a function which for every RDSEED
failure executes RDRAND and stores a sample in a separate buffer.

The RDRAND buffer and its high water mark are made static so that they
can accumulate data across multiple invocations.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agordrand: Fix the RDRAND data reduction
H. Peter Anvin [Tue, 4 Mar 2014 23:04:40 +0000 (15:04 -0800)]
rdrand: Fix the RDRAND data reduction

The RDRAND data reduction function was not correct.  Specifically:

1. When using AESni, in order to guarantee at least one reseed event
   per reduction stripe we need to process the data in a different
   order.  This means writing it out all the data to a buffer before
   processing it, and then process it in much larger stripes.

2. When using gcrypt, we are only performing one reduction at a time,
   so only process enough input for one reduction and only generate
   that amount of output.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agordrand: Simplify by changing x86_rdrand_nlong to x86_rdrand_bytes
H. Peter Anvin [Tue, 4 Mar 2014 22:55:38 +0000 (14:55 -0800)]
rdrand: Simplify by changing x86_rdrand_nlong to x86_rdrand_bytes

Make the code simpler by making x86_rdrand_nlong instead take a count
in bytes and return the number of bytes written (the latter will
matter for upcoming RDSEED enabling.)

The function may still round up the size of the output buffer to a 4-
or 8-byte boundary.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agorngd_rdrand: Support compiling for x32 by adding unative_t
H. Peter Anvin [Tue, 4 Mar 2014 22:49:10 +0000 (14:49 -0800)]
rngd_rdrand: Support compiling for x32 by adding unative_t

On the x32 ABI for x86-64, sizeof(long) == 4, but we still use the
8-byte randomness instructions and flags.  In order to support
compilation for x32, introduce a new type "unative_t" which is
typedef'd to the appropriate type for the architecture.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agordrand_asm.S: On x86-64 we have enough registers, avoid repeated loads
H. Peter Anvin [Tue, 25 Feb 2014 05:49:58 +0000 (21:49 -0800)]
rdrand_asm.S: On x86-64 we have enough registers, avoid repeated loads

On x86-64 there are enough registers that there really is no point in
using a repeated memory operand for the key material.  Load it into a
register instead, hopefully it will be slightly faster.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agordrand_asm.S: Use #ifdef instead of #if defined()
H. Peter Anvin [Tue, 25 Feb 2014 05:40:34 +0000 (21:40 -0800)]
rdrand_asm.S: Use #ifdef instead of #if defined()

Use #ifdef rather than #if defined() when we are testing for only one
symbol.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agorngd_rdrand: Don't use a fixed AES key for data reduction
H. Peter Anvin [Mon, 24 Feb 2014 22:01:49 +0000 (14:01 -0800)]
rngd_rdrand: Don't use a fixed AES key for data reduction

If we're going to run the data through AES anyway, there is no point
in using the same key every time.  Grab a key from /dev/urandom,
although of course it is unknown how much entropy actually *is* in
/dev/urandom at this point, it is presumably better than nothing,
which is what we have now and XOR with rdrand output.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
5 years agorngd_rdrand: Code style cleanups
H. Peter Anvin [Mon, 24 Feb 2014 21:35:48 +0000 (13:35 -0800)]
rngd_rdrand: Code style cleanups

Break up the code into smaller functions for readability, make the
code conform a little closer to Linux standard, and try to reduce the
number of #ifdefs.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
6 years agoAdd BUGS file.
Jeff Garzik [Thu, 18 Apr 2013 23:07:32 +0000 (19:07 -0400)]
Add BUGS file.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd.8: Delete obsolete FIXME
Jeff Garzik [Thu, 18 Apr 2013 23:02:44 +0000 (19:02 -0400)]
rngd.8: Delete obsolete FIXME

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoProvide support for RDRAND capable systems that don't have AES-NI.
John Mechalas [Thu, 21 Feb 2013 18:50:56 +0000 (10:50 -0800)]
Provide support for RDRAND capable systems that don't have AES-NI.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoFix the AES keys so that they are correct and match the comments.
John Mechalas [Thu, 21 Feb 2013 18:41:11 +0000 (10:41 -0800)]
Fix the AES keys so that they are correct and match the comments.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoUpdate FSF mailing address in license.
Jeff Garzik [Mon, 6 Aug 2012 17:04:36 +0000 (13:04 -0400)]
Update FSF mailing address in license.

Caught by rpmlint.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngtest.1.in: Import spelling fixes from Fedora
Jeff Garzik [Mon, 6 Aug 2012 16:47:29 +0000 (12:47 -0400)]
rngtest.1.in: Import spelling fixes from Fedora

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoRelease version 4. v4
Jeff Garzik [Thu, 2 Aug 2012 19:02:09 +0000 (15:02 -0400)]
Release version 4.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoPolish README a bit.
Jeff Garzik [Thu, 2 Aug 2012 18:55:47 +0000 (14:55 -0400)]
Polish README a bit.

6 years agorngd: As long as FIPS error rates are low, re-try the same source
H. Peter Anvin [Wed, 1 Aug 2012 21:31:41 +0000 (14:31 -0700)]
rngd: As long as FIPS error rates are low, re-try the same source

Allow for a small number of FIPS errors before advancing to the
next source.  This prevents a high bandwidth source from stalling
out by shifting to a low bandwidth source (e.g. DRNG->TPM) just
because of a single FIPS failure.  FIPS failures are frequent
enough (1:1250) that this happens on a regular basis.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd: Initialize RNGs in order of preference
H. Peter Anvin [Wed, 1 Aug 2012 21:31:40 +0000 (14:31 -0700)]
rngd: Initialize RNGs in order of preference

The DRNG entropy source, if present, is going to be orders of
magnitudes faster than most other sources, so initialize it
first so that it shows up first in the list.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd: Allow up to a 1:1000 false error rate on FIPS tests
H. Peter Anvin [Wed, 1 Aug 2012 21:31:39 +0000 (14:31 -0700)]
rngd: Allow up to a 1:1000 false error rate on FIPS tests

The FIPS tests have a measured false positive error rate of
approximately 1:1250.  In order to not permanently disable a
functioning random number source under high traffic, allow
one failure per 1000 successful blocks.

However, never allow more than 25 subsequent failures; this is
handled by not allowing the failures counter to go below zero.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd: don't open the TPM if hwrng is available
H. Peter Anvin [Wed, 1 Aug 2012 21:31:38 +0000 (14:31 -0700)]
rngd: don't open the TPM if hwrng is available

If /dev/hwrng is avaiable, do not open the TPM.  Newer kernels export
TPM randomness via /dev/hwrng; this properly handles multiplexing of
the TPM so that we don't interfere with TrouSerS.  Thus, we don't want
to open /dev/tpm0 if we can open /dev/hwrng.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd_linux: Log a warning if write_wakeup_threshold can't be adjusted
H. Peter Anvin [Wed, 1 Aug 2012 21:31:37 +0000 (14:31 -0700)]
rngd_linux: Log a warning if write_wakeup_threshold can't be adjusted

If we fail to write write_wakeup_threshold, log a warning but
continue.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd_rdrand: Actually perform the correct AES data reduction
H. Peter Anvin [Wed, 1 Aug 2012 21:31:36 +0000 (14:31 -0700)]
rngd_rdrand: Actually perform the correct AES data reduction

The pointers were confused in such a way that the AES data reduction
wasn't actually being performed.  Furthermore, architecturally we need
a 512:1 data reduction, rather than 128:1.  Finally, initialize the IV
to random value during startup and remove some unnecessary buffer
shuffling.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agodrng: Move DRNG code to a separate file and make safe on non-x86
H. Peter Anvin [Wed, 1 Aug 2012 21:31:35 +0000 (14:31 -0700)]
drng: Move DRNG code to a separate file and make safe on non-x86

Move all the DRNG code to a separate file, and make sure it is
properly stubbed out on non-x86.  Furthermore, fix the CPUID bits we
check for; in particular we need AES-ni for the whitening code.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agordrand_asm.S: Mark stack non-executable
H. Peter Anvin [Wed, 1 Aug 2012 21:31:34 +0000 (14:31 -0700)]
rdrand_asm.S: Mark stack non-executable

There is no reason for the stack to be executable.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoChange the default device from /dev/hw_random to /dev/hwrng
H. Peter Anvin [Mon, 30 Jul 2012 21:48:09 +0000 (14:48 -0700)]
Change the default device from /dev/hw_random to /dev/hwrng

Change the default device name for the hardware random number device
from /dev/hw_random to /dev/hwrng, which is the filename documented in
devices.txt and appears to be the device name created by udev and
devtmpfs.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd_linux: Modify write_wakeup_threshold to the fill threshold
H. Peter Anvin [Mon, 30 Jul 2012 21:42:36 +0000 (14:42 -0700)]
rngd_linux: Modify write_wakeup_threshold to the fill threshold

The kernel.random.write_wakeup_threshold sysctl needs to be set to the
point where we want poll() on the random device to wake up.  This
replaces the level check in ioctl() used during polling.

Set it by default to 3/4 to the value of kernel.random.poolsize.

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agorngd_linux: Fix () used in prototype
H. Peter Anvin [Mon, 30 Jul 2012 21:26:45 +0000 (14:26 -0700)]
rngd_linux: Fix () used in prototype

() is an acceptable prototype in C++, but C requires (void).

Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
6 years agoAdd RDRAND support
Brad Hill [Tue, 31 Jul 2012 16:26:51 +0000 (12:26 -0400)]
Add RDRAND support

6 years agoRemoved timeout option, leaving poll unlimited
Brad Hill [Thu, 26 Jul 2012 13:51:59 +0000 (09:51 -0400)]
Removed timeout option, leaving poll unlimited

Removed timeout variables, parameters, and argument.  Poll is now called
with -1 as the timeout.

6 years agoPrefer 'bool' to 'int', for boolean values
Jeff Garzik [Wed, 18 Jul 2012 00:36:36 +0000 (20:36 -0400)]
Prefer 'bool' to 'int', for boolean values

6 years agoCreate PID file at startup, in daemon mode
Jeff Garzik [Wed, 18 Jul 2012 00:19:24 +0000 (20:19 -0400)]
Create PID file at startup, in daemon mode

Code imported from Project Hail

6 years agoAdded -q and -v flags, updated help and man page
Brad Hill [Tue, 17 Jul 2012 23:50:40 +0000 (19:50 -0400)]
Added -q and -v flags, updated help and man page

-q and --quiet flags to suppress error messages from rngd.c
-v and --verbose flags to list available entropy sources
help and man page reflect these changes and have minor fixes

8 years agoFix -Wshadow warning.
Jeff Garzik [Tue, 17 Aug 2010 20:05:07 +0000 (16:05 -0400)]
Fix -Wshadow warning.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
8 years agoDisable entropy source, if facing continued failures.
Jeff Garzik [Tue, 17 Aug 2010 19:59:01 +0000 (15:59 -0400)]
Disable entropy source, if facing continued failures.

If all entropy sources are disabled, exit.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
8 years agoRelease version 3. v3
Jeff Garzik [Sun, 4 Jul 2010 03:00:41 +0000 (23:00 -0400)]
Release version 3.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
8 years agos/list_add/src_list_add/
Jeff Garzik [Sun, 4 Jul 2010 03:00:18 +0000 (23:00 -0400)]
s/list_add/src_list_add/

Avoid global namespace clashes.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
8 years agoAdd TPM RNG support.
Jeff Garzik [Sun, 4 Jul 2010 02:43:21 +0000 (22:43 -0400)]
Add TPM RNG support.

also, trim trailing whitespace.

Contributed by Dell, with bug fixes by David Howells @ Red Hat.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
8 years agoDefault to /dev/hw_random for RNG device name.
Jeff Garzik [Sun, 4 Jul 2010 02:35:47 +0000 (22:35 -0400)]
Default to /dev/hw_random for RNG device name.

This matches the most prevalent, current Linux usage.

Imported from RHEL 6 rng-tools.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
9 years agorngd: fix build warning
Jeff Garzik [Thu, 24 Dec 2009 06:51:08 +0000 (01:51 -0500)]
rngd: fix build warning

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
9 years agoExplicitly ship GPLv2 license.
Jeff Garzik [Thu, 24 Dec 2009 06:48:52 +0000 (01:48 -0500)]
Explicitly ship GPLv2 license.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
11 years agoFix uint64_t/unsigned long long printf(3) warnings.
Jeff Garzik [Tue, 4 Dec 2007 00:34:31 +0000 (19:34 -0500)]
Fix uint64_t/unsigned long long printf(3) warnings.

13 years agoUpdate .gitignore.
Jeff Garzik [Tue, 25 Oct 2005 06:51:23 +0000 (02:51 -0400)]
Update .gitignore.

13 years agoImport rng-tools from private subversion repo.
Jeff Garzik [Tue, 25 Oct 2005 06:49:12 +0000 (02:49 -0400)]
Import rng-tools from private subversion repo.