diff options
author | lloyd <[email protected]> | 2008-10-27 17:05:12 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2008-10-27 17:05:12 +0000 |
commit | d0c2f90af8df600204636a701f8f279c17d6959c (patch) | |
tree | 62d9006f758b6429ed3f2ccc964892196223e05f /src/rng/randpool/randpool.cpp | |
parent | b33e8dec240005c50e8be3818d2ec250da8eeb17 (diff) |
Substantially change Randpool's reseed logic. Now when a reseed
is requested, Randpool will first do a fast poll on each entropy
source that has been registered. It will count these poll results
towards the collected entropy count, with a maximum of 96
contributed bits of entropy per poll (only /dev/random reaches
this, others measure at 50-60 bits typically), and a maximum of
256 for sum contribution of the fast polls.
Then it will attempt slow polls of all devices until it thinks enough
entropy has been collected (using the rather naive entropy_estimate
function). It will count any slow poll for no more than 256 bits (100 or
so is typical for every poll but /dev/random), and will attempt to collect
at least 512 bits of (estimated/guessed) entropy.
This tends to cause Randpool to use significantly more
sources. Previously it was common, especially on systems with a
/dev/random, for only one or a few sources to be used. This
change helps assure that even if /dev/random and company are
broken or compromised the RNG output remains secure (assuming at
least some amount of entropy unguessable by the attacker can be
collected via other sources).
Also change AutoSeeded_RNG do an automatic poll/seed when it is
created.
Diffstat (limited to 'src/rng/randpool/randpool.cpp')
-rw-r--r-- | src/rng/randpool/randpool.cpp | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/src/rng/randpool/randpool.cpp b/src/rng/randpool/randpool.cpp index d7d1763ec..dd80a7f70 100644 --- a/src/rng/randpool/randpool.cpp +++ b/src/rng/randpool/randpool.cpp @@ -106,16 +106,33 @@ void Randpool::mix_pool() *************************************************/ void Randpool::reseed() { - SecureVector<byte> buffer(1024); + SecureVector<byte> buffer(128); + u32bit gathered_entropy = 0; + // First do a fast poll of all sources (no matter what) + for(u32bit j = 0; j != entropy_sources.size(); ++j) + { + u32bit got = entropy_sources[j]->fast_poll(buffer, buffer.size()); + u32bit entropy = std::min<u32bit>(96, entropy_estimate(buffer, got)); + + mac->update(buffer, got); + + gathered_entropy += entropy; + } + + // Limit assumed entropy from fast polls to 256 bits total + gathered_entropy = std::min<u32bit>(256, gathered_entropy); + + // Then do a slow poll, until we think we have got enough entropy for(u32bit j = 0; j != entropy_sources.size(); ++j) { u32bit got = entropy_sources[j]->slow_poll(buffer, buffer.size()); + u32bit entropy = std::min<u32bit>(256, entropy_estimate(buffer, got)); mac->update(buffer, got); - gathered_entropy += entropy_estimate(buffer, got); + gathered_entropy += entropy; if(gathered_entropy > 512) break; } |