On Tue, Nov 06, 2012 at 10:42:42AM -0500, Jarod Wilson wrote:
> The value stored in last_data must be primed for FIPS 140-2 purposes. Upon
> first use, either on system startup or after an RNDCLEARPOOL ioctl, we
> need to take an initial random sample, store it internally in last_data,
> then pass along the value after that to the requester, so that consistency
> checks aren't being run against stale and possibly known data.
>
> v2: streamline code flow a bit, eliminating extra loop and spinlock in the
> case where we need to prime, and account for the extra primer bits.
>
> v3: extract_buf() can't be called with spinlock already held, so bring
> back some extra lock/unlock calls.
>
> CC: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> CC: "David S. Miller" <davem@xxxxxxxxxxxxx>
> CC: Neil Horman <nhorman@xxxxxxxxxxxxx>
> CC: Matt Mackall <mpm@xxxxxxxxxxx>
> CC: linux-crypto@xxxxxxxxxxxxxxx
> Signed-off-by: Jarod Wilson <jarod@xxxxxxxxxx>
> ---
> drivers/char/random.c | 17 +++++++++++++++++
> 1 files changed, 17 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index b86eae9..d0139df 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -437,6 +437,7 @@ struct entropy_store {
> int entropy_count;
> int entropy_total;
> unsigned int initialized:1;
> + bool last_data_init;
> __u8 last_data[EXTRACT_SIZE];
> };
>
> @@ -957,6 +958,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
> ssize_t ret = 0, i;
> __u8 tmp[EXTRACT_SIZE];
>
> + /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
> + if (fips_enabled && !r->last_data_init)
> + nbytes += EXTRACT_SIZE;
> +
> trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
> xfer_secondary_pool(r, nbytes);
> nbytes = account(r, nbytes, min, reserved);
> @@ -967,6 +972,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
> if (fips_enabled) {
> unsigned long flags;
>
> +
> + /* prime last_data value if need be, per fips 140-2 */
> + if (!r->last_data_init) {
> + spin_lock_irqsave(&r->lock, flags);
> + memcpy(r->last_data, tmp, EXTRACT_SIZE);
> + r->last_data_init = true;
> + nbytes -= EXTRACT_SIZE;
> + spin_unlock_irqrestore(&r->lock, flags);
> + extract_buf(r, tmp);
> + }
> +
> spin_lock_irqsave(&r->lock, flags);
> if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
> panic("Hardware RNG duplicated output!\n");
> @@ -1086,6 +1102,7 @@ static void init_std_data(struct entropy_store *r)
>
> r->entropy_count = 0;
> r->entropy_total = 0;
> + r->last_data_init = false;
> mix_pool_bytes(r, &now, sizeof(now), NULL);
> for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
> if (!arch_get_random_long(&rv))
> --
> 1.7.1
>
>
Thanks Jarod.
Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
