Since commit "7f397dc random: fix seeding with zero entropy" we are adding data from zero-entropy random_writes directly to output pools. We can leverage the fact the seed used for such case is usually long enough to completely stir all bits from the input pool which is, by default, 4 times longer than the output pools and break it in two to stir differently the output pools. This can help on making a stronger security claim on output pool internal state. This patch introduces changes to the random_write method so it can split the given seed and completely stir the output pools with different halves of it, when seed lenght allows us doing so. Signed-off-by: Rafael Aquini <aquini@xxxxxxxxxx> --- Suggested by Stephan Mueller <stephan.mueller@xxxxxxxxx> drivers/char/random.c | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 429b75b..d623234 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -274,6 +274,7 @@ #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) #define OUTPUT_POOL_SHIFT 10 #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) +#define OUTPUT_POOL_SIZE ((1 << OUTPUT_POOL_SHIFT) >> 3) #define SEC_XFER_SIZE 512 #define EXTRACT_SIZE 10 @@ -1387,19 +1388,44 @@ write_pool(struct entropy_store *r, const char __user *buffer, size_t count) return 0; } -static ssize_t random_write(struct file *file, const char __user *buffer, - size_t count, loff_t *ppos) +static size_t __do_random_write(const char __user *buffer, + size_t count, bool split_buffer) { - size_t ret; + size_t ret, offset, count1, count2; + struct entropy_store *pool1, *pool2; + + offset = 0; + count1 = count2 = count; + pool1 = &blocking_pool; + pool2 = &nonblocking_pool; + + if (split_buffer) { + size_t rnd; + count1 = count / 2; + count2 = count - count1; + offset = count1; + + get_random_bytes(&rnd, 2); + if (rnd % 2) { + pool1 = &nonblocking_pool; + pool2 = &blocking_pool; + } + } - ret = write_pool(&blocking_pool, buffer, count); + ret = write_pool(pool1, buffer, count1); if (ret) return ret; - ret = write_pool(&nonblocking_pool, buffer, count); + ret = write_pool(pool2, buffer + offset, count2); if (ret) return ret; - return (ssize_t)count; + return count; +} + +static ssize_t random_write(struct file *file, const char __user *buffer, + size_t count, loff_t *ppos) +{ + return __do_random_write(buffer, count, (count >= 2*OUTPUT_POOL_SIZE)); } static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html