From owner-svn-src-all@freebsd.org Fri Oct 6 18:27:57 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F58BE3E13B; Fri, 6 Oct 2017 18:27:57 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EDA6A69D46; Fri, 6 Oct 2017 18:27:56 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v96IRuqd098944; Fri, 6 Oct 2017 18:27:56 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v96IRu1Q098943; Fri, 6 Oct 2017 18:27:56 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201710061827.v96IRu1Q098943@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: Conrad Meyer Date: Fri, 6 Oct 2017 18:27:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324372 - head/sys/dev/random X-SVN-Group: head X-SVN-Commit-Author: cem X-SVN-Commit-Paths: head/sys/dev/random X-SVN-Commit-Revision: 324372 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2017 18:27:57 -0000 Author: cem Date: Fri Oct 6 18:27:55 2017 New Revision: 324372 URL: https://svnweb.freebsd.org/changeset/base/324372 Log: random(4): Discard low entropy inputs The later fields of the harvest_event structure are predictable and provide little value to the entropy pool. Only feed in the relatively high entropy counter and explicit entropy buffer to increase measured input entropy. See also: https://people.freebsd.org/~jmg/vbsdcon_2017_ddfreebsdrng_slides.pdf PR: 222807 Submitted by: W. Dean Freeman Reviewed by: jmg (earlier version), delphij Approved by: secteam (delphij) Obtained from: HBSD 8d809124d563937edd84c9c9d5494406e359c55c Security: no -- low entropy marginal input has no known negative affect on pool quality Differential Revision: https://reviews.freebsd.org/D12610 Modified: head/sys/dev/random/fortuna.c Modified: head/sys/dev/random/fortuna.c ============================================================================== --- head/sys/dev/random/fortuna.c Fri Oct 6 18:22:36 2017 (r324371) +++ head/sys/dev/random/fortuna.c Fri Oct 6 18:27:55 2017 (r324372) @@ -1,4 +1,5 @@ /*- + * Copyright (c) 2017 W. Dean Freeman * Copyright (c) 2013-2015 Mark R V Murray * All rights reserved. * @@ -87,7 +88,7 @@ __FBSDID("$FreeBSD$"); * and too small may compromise initial security but get faster reseeds. */ #define RANDOM_FORTUNA_MINPOOLSIZE 16 -#define RANDOM_FORTUNA_MAXPOOLSIZE UINT_MAX +#define RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE); CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE); @@ -232,17 +233,29 @@ random_fortuna_process_event(struct harvest_event *eve * during accumulation/reseeding and reading/regating. */ pl = event->he_destination % RANDOM_FORTUNA_NPOOLS; - randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, event, sizeof(*event)); + /* + * We ignore low entropy static/counter fields towards the end of the + * he_event structure in order to increase measurable entropy when + * conducting SP800-90B entropy analysis measurements of seed material + * fed into PRNG. + * -- wdf + */ + KASSERT(event->he_size <= sizeof(event->he_entropy), + ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n", + __func__, event->he_size, sizeof(event->he_entropy))); + randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, + &event->he_somecounter, sizeof(event->he_somecounter)); + randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, + event->he_entropy, event->he_size); + /*- - * Don't wrap the length. Doing this the hard way so as not to wrap at MAXUINT. - * This is a "saturating" add. + * Don't wrap the length. This is a "saturating" add. * XXX: FIX!!: We don't actually need lengths for anything but fs_pool[0], * but it's been useful debugging to see them all. */ - if (RANDOM_FORTUNA_MAXPOOLSIZE - fortuna_state.fs_pool[pl].fsp_length > event->he_size) - fortuna_state.fs_pool[pl].fsp_length += event->he_size; - else - fortuna_state.fs_pool[pl].fsp_length = RANDOM_FORTUNA_MAXPOOLSIZE; + fortuna_state.fs_pool[pl].fsp_length = MIN(RANDOM_FORTUNA_MAXPOOLSIZE, + fortuna_state.fs_pool[pl].fsp_length + + sizeof(event->he_somecounter) + event->he_size); explicit_bzero(event, sizeof(*event)); RANDOM_RESEED_UNLOCK(); }