[RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since commit "7f397dc random: fix seeding with zero entropy" we are adding
data from zero-entropy random_writes directly to output pools. We can leverage
the fact the seed used for such case is usually long enough to completely stir
all bits from the input pool which is, by default, 4 times longer than the
output pools and break it in two to stir differently the output pools. This
can help on making a stronger security claim on output pool internal state.

This patch introduces changes to the random_write method so it can split the
given seed and completely stir the output pools with different halves of it, 
when seed lenght allows us doing so. 

Signed-off-by: Rafael Aquini <aquini@xxxxxxxxxx>
---
Suggested by Stephan Mueller <stephan.mueller@xxxxxxxxx>

 drivers/char/random.c | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 429b75b..d623234 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -274,6 +274,7 @@
 #define INPUT_POOL_WORDS	(1 << (INPUT_POOL_SHIFT-5))
 #define OUTPUT_POOL_SHIFT	10
 #define OUTPUT_POOL_WORDS	(1 << (OUTPUT_POOL_SHIFT-5))
+#define OUTPUT_POOL_SIZE	((1 << OUTPUT_POOL_SHIFT) >> 3)
 #define SEC_XFER_SIZE		512
 #define EXTRACT_SIZE		10
 
@@ -1387,19 +1388,44 @@ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 	return 0;
 }
 
-static ssize_t random_write(struct file *file, const char __user *buffer,
-			    size_t count, loff_t *ppos)
+static size_t __do_random_write(const char __user *buffer,
+				size_t count, bool split_buffer)
 {
-	size_t ret;
+	size_t ret, offset, count1, count2;
+	struct entropy_store *pool1, *pool2;
+
+	offset = 0;
+	count1 = count2 = count;
+	pool1 = &blocking_pool;
+	pool2 = &nonblocking_pool;
+
+	if (split_buffer) {
+		size_t rnd;
+		count1 = count / 2;
+		count2 = count - count1;
+		offset = count1;
+
+		get_random_bytes(&rnd, 2);
+		if (rnd % 2) {
+			pool1 = &nonblocking_pool;
+			pool2 = &blocking_pool;
+		}
+	}
 
-	ret = write_pool(&blocking_pool, buffer, count);
+	ret = write_pool(pool1, buffer, count1);
 	if (ret)
 		return ret;
-	ret = write_pool(&nonblocking_pool, buffer, count);
+	ret = write_pool(pool2, buffer + offset, count2);
 	if (ret)
 		return ret;
 
-	return (ssize_t)count;
+	return count;
+}
+
+static ssize_t random_write(struct file *file, const char __user *buffer,
+			    size_t count, loff_t *ppos)
+{
+	return __do_random_write(buffer, count, (count >= 2*OUTPUT_POOL_SIZE));
 }
 
 static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux