Date: Fri, 6 Oct 2017 18:27:56 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324372 - head/sys/dev/random Message-ID: <201710061827.v96IRu1Q098943@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Fri Oct 6 18:27:55 2017 New Revision: 324372 URL: https://svnweb.freebsd.org/changeset/base/324372 Log: random(4): Discard low entropy inputs The later fields of the harvest_event structure are predictable and provide little value to the entropy pool. Only feed in the relatively high entropy counter and explicit entropy buffer to increase measured input entropy. See also: https://people.freebsd.org/~jmg/vbsdcon_2017_ddfreebsdrng_slides.pdf PR: 222807 Submitted by: W. Dean Freeman <badfilemagic AT gmail.com> Reviewed by: jmg (earlier version), delphij Approved by: secteam (delphij) Obtained from: HBSD 8d809124d563937edd84c9c9d5494406e359c55c Security: no -- low entropy marginal input has no known negative affect on pool quality Differential Revision: https://reviews.freebsd.org/D12610 Modified: head/sys/dev/random/fortuna.c Modified: head/sys/dev/random/fortuna.c ============================================================================== --- head/sys/dev/random/fortuna.c Fri Oct 6 18:22:36 2017 (r324371) +++ head/sys/dev/random/fortuna.c Fri Oct 6 18:27:55 2017 (r324372) @@ -1,4 +1,5 @@ /*- + * Copyright (c) 2017 W. Dean Freeman * Copyright (c) 2013-2015 Mark R V Murray * All rights reserved. * @@ -87,7 +88,7 @@ __FBSDID("$FreeBSD$"); * and too small may compromise initial security but get faster reseeds. */ #define RANDOM_FORTUNA_MINPOOLSIZE 16 -#define RANDOM_FORTUNA_MAXPOOLSIZE UINT_MAX +#define RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE); CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE); @@ -232,17 +233,29 @@ random_fortuna_process_event(struct harvest_event *eve * during accumulation/reseeding and reading/regating. */ pl = event->he_destination % RANDOM_FORTUNA_NPOOLS; - randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, event, sizeof(*event)); + /* + * We ignore low entropy static/counter fields towards the end of the + * he_event structure in order to increase measurable entropy when + * conducting SP800-90B entropy analysis measurements of seed material + * fed into PRNG. + * -- wdf + */ + KASSERT(event->he_size <= sizeof(event->he_entropy), + ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n", + __func__, event->he_size, sizeof(event->he_entropy))); + randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, + &event->he_somecounter, sizeof(event->he_somecounter)); + randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, + event->he_entropy, event->he_size); + /*- - * Don't wrap the length. Doing this the hard way so as not to wrap at MAXUINT. - * This is a "saturating" add. + * Don't wrap the length. This is a "saturating" add. * XXX: FIX!!: We don't actually need lengths for anything but fs_pool[0], * but it's been useful debugging to see them all. */ - if (RANDOM_FORTUNA_MAXPOOLSIZE - fortuna_state.fs_pool[pl].fsp_length > event->he_size) - fortuna_state.fs_pool[pl].fsp_length += event->he_size; - else - fortuna_state.fs_pool[pl].fsp_length = RANDOM_FORTUNA_MAXPOOLSIZE; + fortuna_state.fs_pool[pl].fsp_length = MIN(RANDOM_FORTUNA_MAXPOOLSIZE, + fortuna_state.fs_pool[pl].fsp_length + + sizeof(event->he_somecounter) + event->he_size); explicit_bzero(event, sizeof(*event)); RANDOM_RESEED_UNLOCK(); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710061827.v96IRu1Q098943>