On Tue, Nov 06, 2012 at 10:42:42AM -0500, Jarod Wilson wrote:
> The value stored in last_data must be primed for FIPS 140-2 purposes. Upon
> first use, either on system startup or after an RNDCLEARPOOL ioctl, we
> need to take an initial random sample, store it internally in last_data,
> then pass along the value after that to the requester, so that consistency
> checks aren't being run against stale and possibly known data.
> 
> v2: streamline code flow a bit, eliminating extra loop and spinlock in the
> case where we need to prime, and account for the extra primer bits.
> 
> v3: extract_buf() can't be called with spinlock already held, so bring
> back some extra lock/unlock calls.
> 
> CC: Herbert Xu <herb...@gondor.apana.org.au>
> CC: "David S. Miller" <da...@davemloft.net>
> CC: Neil Horman <nhor...@tuxdriver.com>
> CC: Matt Mackall <m...@selenic.com>
> CC: linux-crypto@vger.kernel.org
> Signed-off-by: Jarod Wilson <ja...@redhat.com>
> ---
>  drivers/char/random.c |   17 +++++++++++++++++
>  1 files changed, 17 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index b86eae9..d0139df 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -437,6 +437,7 @@ struct entropy_store {
>       int entropy_count;
>       int entropy_total;
>       unsigned int initialized:1;
> +     bool last_data_init;
>       __u8 last_data[EXTRACT_SIZE];
>  };
>  
> @@ -957,6 +958,10 @@ static ssize_t extract_entropy(struct entropy_store *r, 
> void *buf,
>       ssize_t ret = 0, i;
>       __u8 tmp[EXTRACT_SIZE];
>  
> +     /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
> +     if (fips_enabled && !r->last_data_init)
> +             nbytes += EXTRACT_SIZE;
> +
>       trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
>       xfer_secondary_pool(r, nbytes);
>       nbytes = account(r, nbytes, min, reserved);
> @@ -967,6 +972,17 @@ static ssize_t extract_entropy(struct entropy_store *r, 
> void *buf,
>               if (fips_enabled) {
>                       unsigned long flags;
>  
> +
> +                     /* prime last_data value if need be, per fips 140-2 */
> +                     if (!r->last_data_init) {
> +                             spin_lock_irqsave(&r->lock, flags);
> +                             memcpy(r->last_data, tmp, EXTRACT_SIZE);
> +                             r->last_data_init = true;
> +                             nbytes -= EXTRACT_SIZE;
> +                             spin_unlock_irqrestore(&r->lock, flags);
> +                             extract_buf(r, tmp);
> +                     }
> +
>                       spin_lock_irqsave(&r->lock, flags);
>                       if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
>                               panic("Hardware RNG duplicated output!\n");
> @@ -1086,6 +1102,7 @@ static void init_std_data(struct entropy_store *r)
>  
>       r->entropy_count = 0;
>       r->entropy_total = 0;
> +     r->last_data_init = false;
>       mix_pool_bytes(r, &now, sizeof(now), NULL);
>       for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
>               if (!arch_get_random_long(&rv))
> -- 
> 1.7.1
> 
> 
Thanks Jarod.
Acked-by: Neil Horman <nhor...@tuxdriver.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to