Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Stephan Mueller <stephan.mueller@atsec.com>
To: Clemens Ladisch <clemens@ladisch.de>
Cc: Rafael Aquini <aquini@redhat.com>, Theodore Ts'o <tytso@mit.edu>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed
Date: Fri, 10 Jan 2014 10:49:14 +0100	[thread overview]
Message-ID: <1510904.XsOZgVgixq@tauon> (raw)
In-Reply-To: <52CFABC5.5030806@ladisch.de>

Am Freitag, 10. Januar 2014, 09:13:57 schrieb Clemens Ladisch:

Hi Clemens,

>Rafael Aquini wrote:
>> This patch introduces changes to the random_write method so it can
>> split the given seed and completely stir the output pools with
>> different halves of it, when seed lenght allows us doing so.
>> 
>> -	ret = write_pool(&blocking_pool, buffer, count);
>> +	ret = write_pool(pool1, buffer, count1);
>> 
>>  	if (ret)
>>  	
>>  		return ret;
>> 
>> -	ret = write_pool(&nonblocking_pool, buffer, count);
>> +	ret = write_pool(pool2, buffer + offset, count2);
>
>Doesn't this assume that both halves of the buffer contain some
>(uncredited) entropy?  In other words, wouldn't this result in worse
>randomness for pool2 if the second half of the buffer contains just
>zero padding?

The concern this patch addresses is the following:

Both pools have dissimilar use cases. Typically, the blocking_pool is 
used for cases where more "secure" random numbers shall be generated 
whereas the nonblocking_pool shall be used for any other case.

The issue now is that both pools intended for different use cases are 
always updated with the same data. That means, we effectively have two 
different RNGs (the blocking and nonblocking pool) which are both 
(re-)seeded with the same data every time when invoking a write on 
/dev/?random.

There is no way that the (re)seed operation mixes both pools with 
different values.

Coming back to your concern: sure, the caller can pad any data injected 
into /dev/?random with zeros. But as writing to the character files is 
allowed to every user, this per definition must not matter (e.g. an 
attacker may simply write zeros or other known data into the character 
file). And the random.c driver handles that case appropriately by not 
increasing the entropy estimator when receiving data. All the patch 
tries to achieve is to ensure that both pools are not always mixed with 
the same values. Hence, the patch does not change the entropy estimator 
operation.

Ciao
Stephan

  reply	other threads:[~2014-01-10  9:57 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09 23:15 [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed Rafael Aquini
2014-01-10  8:13 ` Clemens Ladisch
2014-01-10  9:49   ` Stephan Mueller [this message]
2014-01-10 11:37     ` Clemens Ladisch
2014-01-10 12:15       ` Stephan Mueller
2014-01-10 12:32         ` Clemens Ladisch
2014-01-30 13:22           ` Rafael Aquini
2014-01-10 21:47       ` Rafael Aquini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1510904.XsOZgVgixq@tauon \
    --to=stephan.mueller@atsec.com \
    --cc=aquini@redhat.com \
    --cc=arnd@arndb.de \
    --cc=clemens@ladisch.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox