Substantially change Randpool's reseed logic. Now when a reseed

is requested, Randpool will first do a fast poll on each entropy source that has been registered. It will count these poll results towards the collected entropy count, with a maximum of 96 contributed bits of entropy per poll (only /dev/random reaches this, others measure at 50-60 bits typically), and a maximum of 256 for sum contribution of the fast polls. Then it will attempt slow polls of all devices until it thinks enough entropy has been collected (using the rather naive entropy_estimate function). It will count any slow poll for no more than 256 bits (100 or so is typical for every poll but /dev/random), and will attempt to collect at least 512 bits of (estimated/guessed) entropy. This tends to cause Randpool to use significantly more sources. Previously it was common, especially on systems with a /dev/random, for only one or a few sources to be used. This change helps assure that even if /dev/random and company are broken or compromised the RNG output remains secure (assuming at least some amount of entropy unguessable by the attacker can be collected via other sources). Also change AutoSeeded_RNG do an automatic poll/seed when it is created.
author: lloyd <[email protected]> 2008-10-27 17:05:12 +0000
committer: lloyd <[email protected]> 2008-10-27 17:05:12 +0000
commit: d0c2f90af8df600204636a701f8f279c17d6959c (patch)
tree: 62d9006f758b6429ed3f2ccc964892196223e05f /src/rng
parent: b33e8dec240005c50e8be3818d2ec250da8eeb17 (diff)
2 files changed, 48 insertions, 18 deletions
diff --git a/src/rng/auto_rng/auto_rng.cpp b/src/rng/auto_rng/auto_rng.cpp
index 076630f6d..51d71f7d0 100644
--- a/src/rng/auto_rng/auto_rng.cpp
+++ b/src/rng/auto_rng/auto_rng.cpp
@@ -17,11 +17,17 @@
 
 #if defined(BOTAN_HAS_TIMER_HARDWARE)
   #include <botan/tm_hard.h>
-#elif defined(BOTAN_HAS_TIMER_POSIX)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_POSIX)
   #include <botan/tm_posix.h>
-#elif defined(BOTAN_HAS_TIMER_UNIX)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_UNIX)
   #include <botan/tm_unix.h>
-#elif defined(BOTAN_HAS_TIMER_WIN32)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_WIN32)
   #include <botan/tm_win32.h>
 #endif
 
@@ -64,14 +70,18 @@ void add_entropy_sources(RandomNumberGenerator* rng)
    {
 #if defined(BOTAN_HAS_TIMER_HARDWARE)
    rng->add_entropy_source(new Hardware_Timer);
-#elif defined(BOTAN_HAS_TIMER_POSIX)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_POSIX)
    rng->add_entropy_source(new POSIX_Timer);
-#elif defined(BOTAN_HAS_TIMER_UNIX)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_UNIX)
    rng->add_entropy_source(new Unix_Timer);
-#elif defined(BOTAN_HAS_TIMER_WIN32)
+#endif
+
+#if defined(BOTAN_HAS_TIMER_WIN32)
    rng->add_entropy_source(new Win32_Timer);
-#else
-   rng->add_entropy_source(new Timer);
 #endif
 
 #if defined(BOTAN_HAS_ENTROPY_SRC_DEVICE)
@@ -92,22 +102,23 @@ void add_entropy_sources(RandomNumberGenerator* rng)
    rng->add_entropy_source(new Win32_CAPI_EntropySource);
 #endif
 
-#if defined(BOTAN_HAS_ENTROPY_SRC_WIN32)
-   rng->add_entropy_source(new Win32_EntropySource);
+#if defined(BOTAN_HAS_ENTROPY_SRC_FTW)
+   rng->add_entropy_source(new FTW_EntropySource("/proc"));
 #endif
 
-#if defined(BOTAN_HAS_ENTROPY_SRC_UNIX)
-   rng->add_entropy_source(
-      new Unix_EntropySource(split_on("/bin:/sbin:/usr/bin:/usr/sbin", ':'))
-      );
+
+#if defined(BOTAN_HAS_ENTROPY_SRC_WIN32)
+   rng->add_entropy_source(new Win32_EntropySource);
 #endif
 
 #if defined(BOTAN_HAS_ENTROPY_SRC_BEOS)
    rng->add_entropy_source(new BeOS_EntropySource);
 #endif
 
-#if defined(BOTAN_HAS_ENTROPY_SRC_FTW)
-   rng->add_entropy_source(new FTW_EntropySource("/proc"));
+#if defined(BOTAN_HAS_ENTROPY_SRC_UNIX)
+   rng->add_entropy_source(
+      new Unix_EntropySource(split_on("/bin:/sbin:/usr/bin:/usr/sbin", ':'))
+      );
 #endif
    }
 
@@ -124,6 +135,8 @@ AutoSeeded_RNG::AutoSeeded_RNG()
 #endif
 
    add_entropy_sources(rng);
+
+   rng->reseed();
    }
 
 }
diff --git a/src/rng/randpool/randpool.cpp b/src/rng/randpool/randpool.cpp
index d7d1763ec..dd80a7f70 100644
--- a/src/rng/randpool/randpool.cpp
+++ b/src/rng/randpool/randpool.cpp
@@ -106,16 +106,33 @@ void Randpool::mix_pool()
 *************************************************/
 void Randpool::reseed()
    {
-   SecureVector<byte> buffer(1024);
+   SecureVector<byte> buffer(128);
+
    u32bit gathered_entropy = 0;
 
+   // First do a fast poll of all sources (no matter what)
+   for(u32bit j = 0; j != entropy_sources.size(); ++j)
+      {
+      u32bit got = entropy_sources[j]->fast_poll(buffer, buffer.size());
+      u32bit entropy = std::min<u32bit>(96, entropy_estimate(buffer, got));
+
+      mac->update(buffer, got);
+
+      gathered_entropy += entropy;
+      }
+
+   // Limit assumed entropy from fast polls to 256 bits total
+   gathered_entropy = std::min<u32bit>(256, gathered_entropy);
+
+   // Then do a slow poll, until we think we have got enough entropy
    for(u32bit j = 0; j != entropy_sources.size(); ++j)
       {
       u32bit got = entropy_sources[j]->slow_poll(buffer, buffer.size());
+      u32bit entropy = std::min<u32bit>(256, entropy_estimate(buffer, got));
 
       mac->update(buffer, got);
 
-      gathered_entropy += entropy_estimate(buffer, got);
+      gathered_entropy += entropy;
       if(gathered_entropy > 512)
          break;
       }
author	lloyd <[email protected]>	2008-10-27 17:05:12 +0000
committer	lloyd <[email protected]>	2008-10-27 17:05:12 +0000
commit	d0c2f90af8df600204636a701f8f279c17d6959c (patch)
tree	62d9006f758b6429ed3f2ccc964892196223e05f /src/rng
parent	b33e8dec240005c50e8be3818d2ec250da8eeb17 (diff)