Module Name: src
Committed By: martin
Date: Tue Sep 3 12:08:22 UTC 2019
Modified Files:
src/sys/conf [netbsd-8]: files
src/sys/dev [netbsd-8]: rndpseudo.c
src/sys/kern [netbsd-8]: subr_cprng.c
src/sys/rump/kern/lib/libcrypto [netbsd-8]: Makefile
src/sys/rump/librump/rumpkern [netbsd-8]: Makefile.rumpkern
src/sys/sys [netbsd-8]: cprng.h
Added Files:
src/sys/crypto/nist_hash_drbg [netbsd-8]: files.nist_hash_drbg
nist_hash_drbg.c nist_hash_drbg.h
Removed Files:
src/sys/crypto/nist_ctr_drbg [netbsd-8]: files.nist_ctr_drbg
nist_ctr_aes_rijndael.h nist_ctr_drbg.c nist_ctr_drbg.h
nist_ctr_drbg_aes128.h nist_ctr_drbg_aes256.h
nist_ctr_drbg_config.h
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1365):
sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1
sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1
sys/rump/kern/lib/libcrypto/Makefile: revision 1.5
sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal
sys/conf/files: revision 1.1238
sys/dev/rndpseudo.c: revision 1.38
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal
sys/sys/cprng.h: revision 1.13 - 1.15
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal
sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal
sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal
sys/kern/subr_cprng.c: revision 1.31
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal
cprng.h: use static __inline for consistency with other include
headers and remove an unused function.
-
Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (<a rel="nofollow"
href="https://eprint.iacr.org/2018/349";>https://eprint.iacr.org/2018/349</a>)
- no loss in compliance with US government standards that nobody ever
got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements
=> possible to mitigate by using hardware SHA-256 instructions
=> all you really need is 32 bytes to seed a userland PRNG anyway
=> if we just used ChaCha this would go away...
To generate a diff of this commit:
cvs rdiff -u -r1.1173.2.7 -r1.1173.2.8 src/sys/conf/files
cvs rdiff -u -r1.1 -r0 src/sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg \
src/sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h \
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c \
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h
cvs rdiff -u -r1.2 -r0 src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h \
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h \
src/sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h
cvs rdiff -u -r0 -r1.1.4.2 src/sys/crypto/nist_hash_drbg/files.nist_hash_drbg \
src/sys/crypto/nist_hash_drbg/nist_hash_drbg.c \
src/sys/crypto/nist_hash_drbg/nist_hash_drbg.h
cvs rdiff -u -r1.35 -r1.35.10.1 src/sys/dev/rndpseudo.c
cvs rdiff -u -r1.27 -r1.27.10.1 src/sys/kern/subr_cprng.c
cvs rdiff -u -r1.4 -r1.4.10.1 src/sys/rump/kern/lib/libcrypto/Makefile
cvs rdiff -u -r1.169.6.1 -r1.169.6.2 \
src/sys/rump/librump/rumpkern/Makefile.rumpkern
cvs rdiff -u -r1.12 -r1.12.10.1 src/sys/sys/cprng.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
