Date: Tue, 4 Nov 2014 23:02:20 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r274103 - head/sys/dev/random Message-ID: <201411042302.sA4N2K4X063860@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Tue Nov 4 23:02:19 2014 New Revision: 274103 URL: https://svnweb.freebsd.org/changeset/base/274103 Log: When reseeding the DPRNG, we're supposed to hash the current key and some accumulated entropy twice and use that as the new key. Due to a typo, we were using the output of the first hash round instead of the second. Correct this, but eliminate temp[] since we can reuse hash[]. Also add comments explaining what is going on and why. Noticed by: Sami Farin <sami.farin@gmail.com> Reviewed by: markm@ Approved by: so (des) Modified: head/sys/dev/random/fortuna.c Modified: head/sys/dev/random/fortuna.c ============================================================================== --- head/sys/dev/random/fortuna.c Tue Nov 4 23:02:16 2014 (r274102) +++ head/sys/dev/random/fortuna.c Tue Nov 4 23:02:19 2014 (r274103) @@ -25,6 +25,17 @@ * */ +/* This implementation of Fortuna is based on the descriptions found in + * ISBN 0-471-22357-3 "Practical Cryptography" by Ferguson and Schneier + * ("K&S"). + * + * The above book is superceded by ISBN 978-0-470-47424-2 "Cryptography + * Engineering" by Ferguson, Schneier and Kohno ("FS&K"). + * + * This code has not yet caught up with FS&K, but differences are not + * expected to be complex. + */ + #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); @@ -234,27 +245,26 @@ static void reseed(uint8_t *junk, u_int length) { struct randomdev_hash context; - uint8_t hash[KEYSIZE], temp[KEYSIZE]; + uint8_t hash[KEYSIZE]; KASSERT(fortuna_state.minpoolsize > 0, ("random: Fortuna threshold = 0")); #ifdef _KERNEL mtx_assert(&random_reseed_mtx, MA_OWNED); #endif - /* F&S - temp = H(K|s) */ + /* F&S - K = Hd(K|s) where Hd(m) is H(H(m)) */ randomdev_hash_init(&context); +#if 0 + /* FS&K defines Hd(m) as H(H(0^512|m)) */ + randomdev_hash_iterate(&context, zero_region, KEYSIZE); +#endif randomdev_hash_iterate(&context, &fortuna_state.key, sizeof(fortuna_state.key)); randomdev_hash_iterate(&context, junk, length); - randomdev_hash_finish(&context, temp); - - /* F&S - hash = H(temp) */ + randomdev_hash_finish(&context, hash); randomdev_hash_init(&context); - randomdev_hash_iterate(&context, temp, KEYSIZE); + randomdev_hash_iterate(&context, hash, KEYSIZE); randomdev_hash_finish(&context, hash); - - /* F&S - K = hash */ - randomdev_encrypt_init(&fortuna_state.key, temp); - memset(temp, 0, sizeof(temp)); + randomdev_encrypt_init(&fortuna_state.key, hash); memset(hash, 0, sizeof(hash)); /* Unblock the device if it was blocked due to being unseeded */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411042302.sA4N2K4X063860>