If any of these differentials is zero, no entropy is assumed to have been gathered. If all are non-zero, one bit is assumed. Next, data is mixed into the entropy pool using an LFSR (linear feedback shift register).
To extract data from the entropy pool, a cryptographically strong hash function is used. The output of this hash is mixed back into the pool using the LFSR, and then folded in half before being returned to the caller.
Mixing the actual hash into the pool causes the next extraction to return a different value, even if no timing events were added to the pool. Folding the data in half prevents the caller to derive the actual hash of the pool, preventing some attacks.
Reading from
/dev/random
will only return values while sufficient entropy exists in the
internal pool. When sufficient entropy does not exist, EAGAIN is
returned for non-blocking reads, or the read will block for blocking
reads.
Reading from
/dev/urandom
will return as many values as requested, even when the entropy pool is
empty. This data is not as good as reading from
/dev/random
since when the pool is empty, data is still returned, degenerating to a
pseudo-random generator.
Writing to either device will mix the data written into the pool using the LFSR as above, without modifying the entropy estimation for the pool.
typedef struct {
char name[16];
uint32_t last_time;
uint32_t last_delta;
uint32_t last_delta2;
uint32_t total;
uint32_t type;
uint32_t flags;
} rndsource_t;
This structure holds the internal representation of a device's timing state. The name field holes the device name, as known to the kernel. The last_time entry is the timestamp of the last time this device generated an event. It is for internal use only, and not in any specific representation. The last_delta and last_delta2 fields hold the last first- and second-order deltas. The total field holds a count of how many bits this device has potentially generated. This is not the same as how many bits were used from it. The type field holds the device type.
RND_TYPE_DISK
RND_TYPE_NET
RND_TYPE_TAPE
RND_TYPE_TTY
RND_TYPE_RNG
flags is a bitfield.
RND_FLAG_NO_ESTIMATE
RND_FLAG_NO_COLLECT
sys/rnd.h
>
file, along with the data types and constants.
RNDGETENTCNT
uint32_t
)
Return the current entropy count (in bits).
RNDGETSRCNUM
rndstat_t
)
typedef struct {
uint32_t start;
uint32_t count;
rndsource_t source[RND_MAXSTATCOUNT];
} rndstat_t;
Return data for sources, starting at start and returning at most count sources.
The values returned are actual in-kernel snapshots of the entropy status for devices. Leaking the internal timing information will weaken security.
RNDGETSRCNAME
rndstat_name_t
)
typedef struct {
char name[16];
rndsource_t source;
} rndstat_name_t;
Return the device state for a named device.
RNDCTL
rndctl_t
)
typedef struct {
char name[16];
uint32_t type;
uint32_t flags;
uint32_t mask;
} rndctl_t;
Change bits in the device state information. If type is 0xff, only the device name stored in name is used. If it is any other value, all devices of type type are altered. This allows all network interfaces to be disabled for entropy collection with one call, for example. The flags and mask work together to change flag bits. The mask field specifies which bits in flags are to be set or cleared.
RNDADDDATA
rnddata_t
)
typedef struct {
uint32_t len;
uint32_t entropy;
u_char data[RND_POOLWORDS * 4];
} rnddata_t;
/dev/random
/dev/urandom