diff options
author | des <des@FreeBSD.org> | 2014-11-04 23:02:19 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2014-11-04 23:02:19 +0000 |
commit | f095756b28c91ea56b5b2778e01f3ea61bc7ccee (patch) | |
tree | de438a97a9fd76027cadc7925967539b6f2364a6 /sys/dev/random | |
parent | 938d2505e3c21aed03a011442ea9f0272c9b23a2 (diff) | |
download | FreeBSD-src-f095756b28c91ea56b5b2778e01f3ea61bc7ccee.zip FreeBSD-src-f095756b28c91ea56b5b2778e01f3ea61bc7ccee.tar.gz |
When reseeding the DPRNG, we're supposed to hash the current key and
some accumulated entropy twice and use that as the new key. Due to a
typo, we were using the output of the first hash round instead of the
second. Correct this, but eliminate temp[] since we can reuse hash[].
Also add comments explaining what is going on and why.
Noticed by: Sami Farin <sami.farin@gmail.com>
Reviewed by: markm@
Approved by: so (des)
Diffstat (limited to 'sys/dev/random')
-rw-r--r-- | sys/dev/random/fortuna.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/sys/dev/random/fortuna.c b/sys/dev/random/fortuna.c index 46ec88d..f8b3e0c 100644 --- a/sys/dev/random/fortuna.c +++ b/sys/dev/random/fortuna.c @@ -25,6 +25,17 @@ * */ +/* This implementation of Fortuna is based on the descriptions found in + * ISBN 0-471-22357-3 "Practical Cryptography" by Ferguson and Schneier + * ("K&S"). + * + * The above book is superceded by ISBN 978-0-470-47424-2 "Cryptography + * Engineering" by Ferguson, Schneier and Kohno ("FS&K"). + * + * This code has not yet caught up with FS&K, but differences are not + * expected to be complex. + */ + #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); @@ -234,27 +245,26 @@ static void reseed(uint8_t *junk, u_int length) { struct randomdev_hash context; - uint8_t hash[KEYSIZE], temp[KEYSIZE]; + uint8_t hash[KEYSIZE]; KASSERT(fortuna_state.minpoolsize > 0, ("random: Fortuna threshold = 0")); #ifdef _KERNEL mtx_assert(&random_reseed_mtx, MA_OWNED); #endif - /* F&S - temp = H(K|s) */ + /* F&S - K = Hd(K|s) where Hd(m) is H(H(m)) */ randomdev_hash_init(&context); +#if 0 + /* FS&K defines Hd(m) as H(H(0^512|m)) */ + randomdev_hash_iterate(&context, zero_region, KEYSIZE); +#endif randomdev_hash_iterate(&context, &fortuna_state.key, sizeof(fortuna_state.key)); randomdev_hash_iterate(&context, junk, length); - randomdev_hash_finish(&context, temp); - - /* F&S - hash = H(temp) */ + randomdev_hash_finish(&context, hash); randomdev_hash_init(&context); - randomdev_hash_iterate(&context, temp, KEYSIZE); + randomdev_hash_iterate(&context, hash, KEYSIZE); randomdev_hash_finish(&context, hash); - - /* F&S - K = hash */ - randomdev_encrypt_init(&fortuna_state.key, temp); - memset(temp, 0, sizeof(temp)); + randomdev_encrypt_init(&fortuna_state.key, hash); memset(hash, 0, sizeof(hash)); /* Unblock the device if it was blocked due to being unseeded */ |