I have placed a patch at http://www.panix.com/~tls/rndpseudo.diff which removes direct userspace access to the kernel entropy pool. It is replaced with the NIST SP 800-90 CTR_DRBG generator, separately keyed per pseudodevice open (actually, keyed on first read or select so opens don't themselves consume entropy).
The urandom device node will key the generator and output data even if the kernel entropy pool estimates that it does not have enough bits to provide an AES-128 key with ful entropy. The random device node will block until sufficient bits are available from the pool to key the generator. Nonblocking/select/poll semantics should be the same as with the old code -- I have test cases for this. This generator is approximately 20 times as fast as the old generator (dd with bs=64K yields 53MB/sec on 2Ghz Core2 instead of 2.5MB/sec) and also uses a separate mutex per instance so concurrency is greatly improved. I have also fixed various bugs (including some missing locking and a reseed-counter overflow in the CTR_DRBG code) while testing this. I am sure there are new bugs too. I intend to check this in by Monday, December 12, and then, in a separate step, move the remaining code from "rnd.c" and "rndpool.c" to sys/kern from sys/dev, since it is no longer device code. So, if you have comments -- soon, please. Thanks! Thor
