From owner-svn-src-all@FreeBSD.ORG Tue Nov 4 23:02:20 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AD23B26E; Tue, 4 Nov 2014 23:02:20 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8051CE1A; Tue, 4 Nov 2014 23:02:20 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4N2KhG063861; Tue, 4 Nov 2014 23:02:20 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4N2K4X063860; Tue, 4 Nov 2014 23:02:20 GMT (envelope-from des@FreeBSD.org) Message-Id: <201411042302.sA4N2K4X063860@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Tue, 4 Nov 2014 23:02:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r274103 - head/sys/dev/random X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 23:02:20 -0000 Author: des Date: Tue Nov 4 23:02:19 2014 New Revision: 274103 URL: https://svnweb.freebsd.org/changeset/base/274103 Log: When reseeding the DPRNG, we're supposed to hash the current key and some accumulated entropy twice and use that as the new key. Due to a typo, we were using the output of the first hash round instead of the second. Correct this, but eliminate temp[] since we can reuse hash[]. Also add comments explaining what is going on and why. Noticed by: Sami Farin Reviewed by: markm@ Approved by: so (des) Modified: head/sys/dev/random/fortuna.c Modified: head/sys/dev/random/fortuna.c ============================================================================== --- head/sys/dev/random/fortuna.c Tue Nov 4 23:02:16 2014 (r274102) +++ head/sys/dev/random/fortuna.c Tue Nov 4 23:02:19 2014 (r274103) @@ -25,6 +25,17 @@ * */ +/* This implementation of Fortuna is based on the descriptions found in + * ISBN 0-471-22357-3 "Practical Cryptography" by Ferguson and Schneier + * ("K&S"). + * + * The above book is superceded by ISBN 978-0-470-47424-2 "Cryptography + * Engineering" by Ferguson, Schneier and Kohno ("FS&K"). + * + * This code has not yet caught up with FS&K, but differences are not + * expected to be complex. + */ + #include __FBSDID("$FreeBSD$"); @@ -234,27 +245,26 @@ static void reseed(uint8_t *junk, u_int length) { struct randomdev_hash context; - uint8_t hash[KEYSIZE], temp[KEYSIZE]; + uint8_t hash[KEYSIZE]; KASSERT(fortuna_state.minpoolsize > 0, ("random: Fortuna threshold = 0")); #ifdef _KERNEL mtx_assert(&random_reseed_mtx, MA_OWNED); #endif - /* F&S - temp = H(K|s) */ + /* F&S - K = Hd(K|s) where Hd(m) is H(H(m)) */ randomdev_hash_init(&context); +#if 0 + /* FS&K defines Hd(m) as H(H(0^512|m)) */ + randomdev_hash_iterate(&context, zero_region, KEYSIZE); +#endif randomdev_hash_iterate(&context, &fortuna_state.key, sizeof(fortuna_state.key)); randomdev_hash_iterate(&context, junk, length); - randomdev_hash_finish(&context, temp); - - /* F&S - hash = H(temp) */ + randomdev_hash_finish(&context, hash); randomdev_hash_init(&context); - randomdev_hash_iterate(&context, temp, KEYSIZE); + randomdev_hash_iterate(&context, hash, KEYSIZE); randomdev_hash_finish(&context, hash); - - /* F&S - K = hash */ - randomdev_encrypt_init(&fortuna_state.key, temp); - memset(temp, 0, sizeof(temp)); + randomdev_encrypt_init(&fortuna_state.key, hash); memset(hash, 0, sizeof(hash)); /* Unblock the device if it was blocked due to being unseeded */