Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Stephan Mueller <stephan.mueller@atsec.com>
To: Clemens Ladisch <clemens@ladisch.de>
Cc: Rafael Aquini <aquini@redhat.com>, Theodore Ts'o <tytso@mit.edu>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed
Date: Fri, 10 Jan 2014 13:15:34 +0100	[thread overview]
Message-ID: <5743525.Bz4yhBJ8Tl@tauon> (raw)
In-Reply-To: <52CFDB76.2030207@ladisch.de>

Am Freitag, 10. Januar 2014, 12:37:26 schrieb Clemens Ladisch:

Hi Clemens,

>Stephan Mueller wrote:
>> Am Freitag, 10. Januar 2014, 09:13:57 schrieb Clemens Ladisch:
>>> Rafael Aquini wrote:
>>>> This patch introduces changes to the random_write method so it can
>>>> split the given seed and completely stir the output pools with
>>>> different halves of it, when seed lenght allows us doing so.
>>>> 
>>>> -	ret = write_pool(&blocking_pool, buffer, count);
>>>> +	ret = write_pool(pool1, buffer, count1);
>>>> 
>>>>  	if (ret)
>>>>  	
>>>>  		return ret;
>>>> 
>>>> -	ret = write_pool(&nonblocking_pool, buffer, count);
>>>> +	ret = write_pool(pool2, buffer + offset, count2);
>>> 
>>> Doesn't this assume that both halves of the buffer contain some
>>> (uncredited) entropy?  In other words, wouldn't this result in worse
>>> randomness for pool2 if the second half of the buffer contains just
>>> zero padding?
>> 
>> [...]
>> Coming back to your concern: sure, the caller can pad any data
>> injected into /dev/?random with zeros.
>
>Assume that the userspace of an embedded device wants to do the same
>kind of initialization that a call to add_device_randomness() does, and
>that it has some data like "char serial_number[256]".  The padding
>wouldn't be done intentionally, it's just a property of the data (and
>it wouldn't have mattered before this patch).
>
>> But as writing to the character files is allowed to every user, this
>> per definition must not matter (e.g. an attacker may simply write
>> zeros or other known data into the character file). And the random.c
>> driver handles that case appropriately by not increasing the entropy
>> estimator when receiving data.
>
>The problem is not with the entropy estimate.
>
>> All the patch tries to achieve is to ensure that both pools are not
>> always mixed with the same values.
>
>Before this patch, both pools got mixed with the same values.  After
>this patch, both pools indeed get mixed with different values, but now
>one pool gets mixed with a known value if one half of the buffer
>happens to be known.

Do you imply in your example above that the serial number is unknown? 
Anything that unprivileged user space tries to inject into /dev/?random 
should be considered data with known value.

Ciao
Stephan

  reply	other threads:[~2014-01-10 12:15 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09 23:15 [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed Rafael Aquini
2014-01-10  8:13 ` Clemens Ladisch
2014-01-10  9:49   ` Stephan Mueller
2014-01-10 11:37     ` Clemens Ladisch
2014-01-10 12:15       ` Stephan Mueller [this message]
2014-01-10 12:32         ` Clemens Ladisch
2014-01-30 13:22           ` Rafael Aquini
2014-01-10 21:47       ` Rafael Aquini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5743525.Bz4yhBJ8Tl@tauon \
    --to=stephan.mueller@atsec.com \
    --cc=aquini@redhat.com \
    --cc=arnd@arndb.de \
    --cc=clemens@ladisch.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox