svn commit: r324372 - head/sys/dev/random

Fri Oct 6 18:27:57 UTC 2017

Author: cem
Date: Fri Oct  6 18:27:55 2017
New Revision: 324372
URL: https://svnweb.freebsd.org/changeset/base/324372

Log:
  random(4): Discard low entropy inputs
  
  The later fields of the harvest_event structure are predictable and provide
  little value to the entropy pool.  Only feed in the relatively high entropy
  counter and explicit entropy buffer to increase measured input entropy.
  
  See also:
  https://people.freebsd.org/~jmg/vbsdcon_2017_ddfreebsdrng_slides.pdf
  
  PR:		222807
  Submitted by:	W. Dean Freeman <badfilemagic AT gmail.com>
  Reviewed by:	jmg (earlier version), delphij
  Approved by:	secteam (delphij)
  Obtained from:	HBSD 8d809124d563937edd84c9c9d5494406e359c55c
  Security:	no -- low entropy marginal input has no known negative affect on pool quality
  Differential Revision:	https://reviews.freebsd.org/D12610

Modified:
  head/sys/dev/random/fortuna.c

Modified: head/sys/dev/random/fortuna.c
==============================================================================

--- head/sys/dev/random/fortuna.c	Fri Oct  6 18:22:36 2017	(r324371)
+++ head/sys/dev/random/fortuna.c	Fri Oct  6 18:27:55 2017	(r324372)
@@ -1,4 +1,5 @@
 /*-
+ * Copyright (c) 2017 W. Dean Freeman
  * Copyright (c) 2013-2015 Mark R V Murray
  * All rights reserved.
  *
@@ -87,7 +88,7 @@ __FBSDID("$FreeBSD$");
  * and too small may compromise initial security but get faster reseeds.
  */
 #define	RANDOM_FORTUNA_MINPOOLSIZE 16
-#define	RANDOM_FORTUNA_MAXPOOLSIZE UINT_MAX
+#define	RANDOM_FORTUNA_MAXPOOLSIZE INT_MAX 
 CTASSERT(RANDOM_FORTUNA_MINPOOLSIZE <= RANDOM_FORTUNA_DEFPOOLSIZE);
 CTASSERT(RANDOM_FORTUNA_DEFPOOLSIZE <= RANDOM_FORTUNA_MAXPOOLSIZE);
 
@@ -232,17 +233,29 @@ random_fortuna_process_event(struct harvest_event *eve
 	 * during accumulation/reseeding and reading/regating.
 	 */
 	pl = event->he_destination % RANDOM_FORTUNA_NPOOLS;
-	randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash, event, sizeof(*event));
+	/*
+	 * We ignore low entropy static/counter fields towards the end of the
+	 * he_event structure in order to increase measurable entropy when
+	 * conducting SP800-90B entropy analysis measurements of seed material
+	 * fed into PRNG.
+	 * -- wdf
+	 */
+	KASSERT(event->he_size <= sizeof(event->he_entropy),
+	    ("%s: event->he_size: %hhu > sizeof(event->he_entropy): %zu\n",
+	    __func__, event->he_size, sizeof(event->he_entropy)));
+	randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash,
+	    &event->he_somecounter, sizeof(event->he_somecounter));
+	randomdev_hash_iterate(&fortuna_state.fs_pool[pl].fsp_hash,
+	    event->he_entropy, event->he_size);
+
 	/*-
-	 * Don't wrap the length. Doing this the hard way so as not to wrap at MAXUINT.
-	 * This is a "saturating" add.
+	 * Don't wrap the length.  This is a "saturating" add.
 	 * XXX: FIX!!: We don't actually need lengths for anything but fs_pool[0],
 	 * but it's been useful debugging to see them all.
 	 */
-	if (RANDOM_FORTUNA_MAXPOOLSIZE - fortuna_state.fs_pool[pl].fsp_length > event->he_size)
-		fortuna_state.fs_pool[pl].fsp_length += event->he_size;
-	else
-		fortuna_state.fs_pool[pl].fsp_length = RANDOM_FORTUNA_MAXPOOLSIZE;
+	fortuna_state.fs_pool[pl].fsp_length = MIN(RANDOM_FORTUNA_MAXPOOLSIZE,
+	    fortuna_state.fs_pool[pl].fsp_length +
+	    sizeof(event->he_somecounter) + event->he_size);
 	explicit_bzero(event, sizeof(*event));
 	RANDOM_RESEED_UNLOCK();
 }
