The value stored in last_data must be primed for FIPS 140-2 purposes. Upon
first use, either on system startup or after an RNDCLEARPOOL ioctl, we
need to take an initial random sample, store it internally in last_data,
then pass along the value after that to the requester, so that consistency
checks aren't being run against stale and possibly known data.

v2: streamline code flow a bit, eliminating extra loop and spinlock in the
case where we need to prime, and account for the extra primer bits.

v3: extract_buf() can't be called with spinlock already held, so bring
back some extra lock/unlock calls.

CC: Herbert Xu <herb...@gondor.apana.org.au>
CC: "David S. Miller" <da...@davemloft.net>
CC: Neil Horman <nhor...@tuxdriver.com>
CC: Matt Mackall <m...@selenic.com>
CC: linux-crypto@vger.kernel.org
Signed-off-by: Jarod Wilson <ja...@redhat.com>
---
 drivers/char/random.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index b86eae9..d0139df 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -437,6 +437,7 @@ struct entropy_store {
        int entropy_count;
        int entropy_total;
        unsigned int initialized:1;
+       bool last_data_init;
        __u8 last_data[EXTRACT_SIZE];
 };
 
@@ -957,6 +958,10 @@ static ssize_t extract_entropy(struct entropy_store *r, 
void *buf,
        ssize_t ret = 0, i;
        __u8 tmp[EXTRACT_SIZE];
 
+       /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
+       if (fips_enabled && !r->last_data_init)
+               nbytes += EXTRACT_SIZE;
+
        trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
        xfer_secondary_pool(r, nbytes);
        nbytes = account(r, nbytes, min, reserved);
@@ -967,6 +972,17 @@ static ssize_t extract_entropy(struct entropy_store *r, 
void *buf,
                if (fips_enabled) {
                        unsigned long flags;
 
+
+                       /* prime last_data value if need be, per fips 140-2 */
+                       if (!r->last_data_init) {
+                               spin_lock_irqsave(&r->lock, flags);
+                               memcpy(r->last_data, tmp, EXTRACT_SIZE);
+                               r->last_data_init = true;
+                               nbytes -= EXTRACT_SIZE;
+                               spin_unlock_irqrestore(&r->lock, flags);
+                               extract_buf(r, tmp);
+                       }
+
                        spin_lock_irqsave(&r->lock, flags);
                        if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
                                panic("Hardware RNG duplicated output!\n");
@@ -1086,6 +1102,7 @@ static void init_std_data(struct entropy_store *r)
 
        r->entropy_count = 0;
        r->entropy_total = 0;
+       r->last_data_init = false;
        mix_pool_bytes(r, &now, sizeof(now), NULL);
        for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
                if (!arch_get_random_long(&rv))
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to