lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jun 2016 20:00:33 +0200 From: Stephan Mueller <smueller@...onox.de> To: Theodore Ts'o <tytso@....edu> Cc: Linux Kernel Developers List <linux-kernel@...r.kernel.org>, linux-crypto@...r.kernel.org, herbert@...dor.apana.org.au, andi@...stfloor.org, sandyinchina@...il.com, jsd@...n.com, hpa@...or.com Subject: Re: [PATCH 5/7] random: replace non-blocking pool with a Chacha20-based CRNG Am Montag, 13. Juni 2016, 11:48:37 schrieb Theodore Ts'o: Hi Theodore, > /* > @@ -1254,15 +1423,26 @@ static ssize_t extract_entropy_user(struct > entropy_store *r, void __user *buf, */ > void get_random_bytes(void *buf, int nbytes) > { > + __u8 tmp[CHACHA20_BLOCK_SIZE]; > + > #if DEBUG_RANDOM_BOOT > 0 > - if (unlikely(nonblocking_pool.initialized == 0)) > + if (!crng_ready()) > printk(KERN_NOTICE "random: %pF get_random_bytes called " > - "with %d bits of entropy available\n", > - (void *) _RET_IP_, > - nonblocking_pool.entropy_total); > + "with crng_init = %d\n", (void *) _RET_IP_, crng_init); > #endif > trace_get_random_bytes(nbytes, _RET_IP_); > - extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0); > + > + while (nbytes >= CHACHA20_BLOCK_SIZE) { > + extract_crng(buf); > + buf += CHACHA20_BLOCK_SIZE; > + nbytes -= CHACHA20_BLOCK_SIZE; > + } > + > + if (nbytes > 0) { > + extract_crng(tmp); > + memcpy(buf, tmp, nbytes); > + memzero_explicit(tmp, nbytes); > + } What is your take on the following issue: 1. The ChaCha20 is seeded with 256 bits (let us assume it is full entropy) 2. The ChaCha20 block operation shuffles the 256 bits of entropy over the 512 bit state -- already here we see that after shuffling, the entropy to bit ratio fell from (256 bits of entropy / 256 data bits) to (256 bits of entropy / 512 data bits). 3. The code above directly returns the output of the ChaCha20 round to the caller. Considering the discussion in step 2, I would assume that the entropy content of the output size is cut in half. Ciao Stephan
Powered by blists - more mailing lists