Re: [PATCH] [3/4] /dev/random: Use separate entropy store for /dev/urandom

Re: [PATCH] [3/4] /dev/random: Use separate entropy store for /dev/urandom

[Balint Marton]

Hi, 

After using this patch, an already resolved bug returned (Tested with
2.6.9-rc1-bk3). For the old bug, see this thread (get_random_bytes returns
the same on every boot):  
http://marc.theaimsgroup.com/?l=linux-kernel&m=109053711812560&w=2

Now the situation is almost the same, except we read from the urandom pool
this time. The urandom pool is only cleared, and not initialized, and
because there is nothing in the primary pool, the reseeding is not
successful. The solution is also the same, initialize not just the primary
and secondary, but also the urandom pool:

--- linux-2.6.9-rc1-bk3/drivers/char/random.c.or	2004-08-28 10:12:28.000000000 +0200
+++ linux-2.6.9-rc1-bk3/drivers/char/random.c	2004-08-28 11:43:21.134293136 +0200
@@ -1548,6 +1548,7 @@
 	clear_entropy_store(urandom_state);
 	init_std_data(random_state);
 	init_std_data(sec_random_state);
+	init_std_data(urandom_state);
 #ifdef CONFIG_SYSCTL
 	sysctl_init_random(random_state);
 #endif

bye, 
	Cus

Re: [PATCH] [3/4] /dev/random: Use separate entropy store for /dev/urandom

[Theodore Ts'o]

On Sat, Aug 28, 2004 at 12:29:40PM +0200, Balint Marton wrote:
> Hi, 
> 
> After using this patch, an already resolved bug returned (Tested with
> 2.6.9-rc1-bk3). For the old bug, see this thread (get_random_bytes returns
> the same on every boot):  
> http://marc.theaimsgroup.com/?l=linux-kernel&m=109053711812560&w=2
> 
> Now the situation is almost the same, except we read from the urandom pool
> this time. The urandom pool is only cleared, and not initialized, and
> because there is nothing in the primary pool, the reseeding is not
> successful. The solution is also the same, initialize not just the primary
> and secondary, but also the urandom pool:

Yes, good point.  Thanks.  I'll make sure this gets pushed to Andrew/Linus.

						- Ted

[PATCH] [3/4] /dev/random: Use separate entropy store for /dev/urandom

[Theodore Ts'o]

This patch adds a separate pool for use with /dev/urandom.  This
prevents a /dev/urandom read from being able to completely drain the
entropy in the /dev/random pool, and also makes it much more difficult
for an attacker to carry out a state extension attack.

patch-random-3-urandom-pool

--- random.c	2004/08/19 22:49:48	1.3
+++ random.c	2004/08/19 22:50:19	1.4
@@ -401,6 +401,7 @@
  */
 static struct entropy_store *random_state; /* The default global store */
 static struct entropy_store *sec_random_state; /* secondary store */
+static struct entropy_store *urandom_state; /* For urandom */
 static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
 static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
 
@@ -1474,14 +1475,21 @@
  */
 void get_random_bytes(void *buf, int nbytes)
 {
-	if (sec_random_state)  
-		extract_entropy(sec_random_state, (char *) buf, nbytes, 
-				EXTRACT_ENTROPY_SECONDARY);
-	else if (random_state)
-		extract_entropy(random_state, (char *) buf, nbytes, 0);
-	else
+	struct entropy_store *r = urandom_state;
+	int flags = EXTRACT_ENTROPY_SECONDARY;
+
+	if (!r)
+		r = sec_random_state;
+	if (!r) {
+		r = random_state;
+		flags = 0;
+	}
+	if (!r) {
 		printk(KERN_NOTICE "get_random_bytes called before "
 				   "random driver initialization\n");
+		return;
+	}
+	extract_entropy(r, (char *) buf, nbytes, flags);
 }
 
 EXPORT_SYMBOL(get_random_bytes);
@@ -1532,8 +1540,12 @@
 	if (create_entropy_store(SECONDARY_POOL_SIZE, "secondary", 
 				 &sec_random_state))
 		goto err;
+	if (create_entropy_store(SECONDARY_POOL_SIZE, "urandom", 
+				 &urandom_state))
+		goto err;
 	clear_entropy_store(random_state);
 	clear_entropy_store(sec_random_state);
+	clear_entropy_store(urandom_state);
 	init_std_data(random_state);
 #ifdef CONFIG_SYSCTL
 	sysctl_init_random(random_state);
@@ -1667,9 +1679,15 @@
 urandom_read(struct file * file, char __user * buf,
 		      size_t nbytes, loff_t *ppos)
 {
-	return extract_entropy(sec_random_state, buf, nbytes,
-			       EXTRACT_ENTROPY_USER |
-			       EXTRACT_ENTROPY_SECONDARY);
+	int flags = EXTRACT_ENTROPY_USER;
+	unsigned long cpuflags;
+
+	spin_lock_irqsave(&random_state->lock, cpuflags);
+	if (random_state->entropy_count > random_state->poolinfo.POOLBITS)
+		flags |= EXTRACT_ENTROPY_SECONDARY;
+	spin_unlock_irqrestore(&random_state->lock, cpuflags);
+
+	return extract_entropy(urandom_state, buf, nbytes, flags);
 }
 
 static unsigned int

Re: [PATCH] [3/4] /dev/random: Use separate entropy store for /dev/urandom

[Matt Mackall]

On Fri, Aug 20, 2004 at 12:57:20AM -0400, Theodore Ts'o wrote:
> 
> This patch adds a separate pool for use with /dev/urandom.  This
> prevents a /dev/urandom read from being able to completely drain the
> entropy in the /dev/random pool, and also makes it much more difficult
> for an attacker to carry out a state extension attack.

My version of this went a step further. We want to at all times ensure
that there's enough data to do a full catastrophic reseed in the
blocking pool, so we have to assure we're never drawing below that
point when doing reads for urandom.

-- 
Mathematics is the supreme nostalgia of our time.