Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2564739pxb;
        Thu, 3 Feb 2022 09:10:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzbFWmySsNF9eaBwyrJYq0SGQKNQs34ElMbBbPxlKGsUltyvCgaykqOkhslwEsk59C60AGj
X-Received: by 2002:a17:903:1211:: with SMTP id l17mr37006239plh.11.1643908245915;
        Thu, 03 Feb 2022 09:10:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643908245; cv=none;
        d=google.com; s=arc-20160816;
        b=bcNta0+YU8rEXWoecpTTSLHZqkOj1i9/jN3dYbobJ79/O9VptlG5wu2sacpANRjq/y
         YN7hLlAU3J9g1xNXxEQhErReIxv+xsfwpS80OVazIiCTchvx3OVQDZFDKzkMTmnI0ebY
         6zH9fJi40YX+6/j3cDOCpZQM6lsnnuNhT1zyHc67GHd9zY56Rka1SS0mnU+NxqPFuPgP
         S0fp91hjSdaQ6NTWJHJUGHdZhuiVDLdlhZOYW+k9WyyBmVnd1gz7rob50UpUiw4AJZYu
         qRcD3W5q03DIqbhmukg8X0rgZBWxC+hUB0SscaeI+A3UkbxgmbQAdVdekWfnYqg+tuQ4
         aKTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=c5JjIYoKEKHglVHkMzu3VOgQtecCefZTnqMsNwFtP0k=;
        b=RLRaHWRy646ZyY1I7Wvylo/B+xlPzIclWkqHZRI4/0q4+0TrYYWS/1M1JSuk953n1U
         79XDppYn0pou0wvoABvP/yzZT+m3k4ehPRW5zF89+B6OSZlVPRS/dQnTur0vk57DUt5u
         /NogJkAEtk2TJ/q9MeamNSPYb3l+Ta+zKP40lqXSkBKqaBdkLZKvo7xZeW2XZoXOUGL6
         vdF8/urgCZ5P9o53mBIO7u1TlF4B/8G9JeqcQauAvomfsb/pKBCdVgJk9uSZaJ1rHaZO
         XAkjPlSr7pzp1Avkf7mNd1c5VGXijvTBvu2fcKxdFRISERNSQl3WByPV3vo7JVc6BZDh
         N/Cg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=nec8bwHU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 3si20311743pll.54.2022.02.03.09.10.32;
        Thu, 03 Feb 2022 09:10:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=nec8bwHU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344792AbiBBOLP (ORCPT <rfc822;xiejw.io@gmail.com> + 99 others);
        Wed, 2 Feb 2022 09:11:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37578 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231950AbiBBOLO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Feb 2022 09:11:14 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F101C061714;
        Wed,  2 Feb 2022 06:11:14 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 1DCAE61852;
        Wed,  2 Feb 2022 14:11:14 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C0B5C340F1;
        Wed,  2 Feb 2022 14:11:13 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="nec8bwHU"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1643811070;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=c5JjIYoKEKHglVHkMzu3VOgQtecCefZTnqMsNwFtP0k=;
        b=nec8bwHUWMgNyJGomQASFqfhaMOd8zL2rG9/gjzbj/dJ262XY9q27kuD/WX8CoOId2mA3A
        IjUOuUtFq2JuO7Z0vpcnVL3N9rCIe1sCbOeRRiV7uMY/Ae7uwNFnhfRpWBC+fvC9rw1PRz
        AlWwUAv75NJW4TvbbV0WKd1U+lTxglg=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 29e0e4f8 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
        Wed, 2 Feb 2022 14:11:09 +0000 (UTC)
Received: by mail-yb1-f179.google.com with SMTP id w81so39108891ybg.12;
        Wed, 02 Feb 2022 06:11:09 -0800 (PST)
X-Gm-Message-State: AOAM533snHGRzaGhO7pViYV86RP1gZb8q7jJbvgUeceYsmBiNJ0AdgXg
        11iClzC+uQm2BmmeXIjWRoCmOcxWzKBweErJGW0=
X-Received: by 2002:a25:c006:: with SMTP id c6mr41866622ybf.457.1643811068149;
 Wed, 02 Feb 2022 06:11:08 -0800 (PST)
MIME-Version: 1.0
References: <20220201161342.154666-1-Jason@zx2c4.com> <1920812.EuvsCRJjSr@tauon.chronox.de>
 <CAHmME9ouMHtTQxB1WHq3H+nfbg27OFaJtw78E5epCJsiHt3sHg@mail.gmail.com> <daffe6272525376d955a4eaa73263a7f08634ac1.camel@redhat.com>
In-Reply-To: <daffe6272525376d955a4eaa73263a7f08634ac1.camel@redhat.com>
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
Date:   Wed, 2 Feb 2022 15:10:57 +0100
X-Gmail-Original-Message-ID: <CAHmME9ohMLtfBgF752XCq-EOk5SRGcNkf-vf1oawXEkz9iOTtw@mail.gmail.com>
Message-ID: <CAHmME9ohMLtfBgF752XCq-EOk5SRGcNkf-vf1oawXEkz9iOTtw@mail.gmail.com>
Subject: Re: [PATCH] random: use computational hash for entropy extraction
To:     Simo Sorce <simo@redhat.com>
Cc:     Stephan Mueller <smueller@chronox.de>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        "Theodore Ts'o" <tytso@mit.edu>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Simo,

Your message makes no sense to me.

> Note that there is no study
> about using internal states of hash functions, it would be better to

Ignoring your probably wrong mention about "no study", we're not
making any use of "internal states". We're using the hash function off
the shelf without modifications. There's no whacky bespoke crypto
going on, no use of "internal states", nothing that matches your
description.

> if the current code is mistakenly stretching the entropy, perhaps the
> correct curse of action

Except it's not. The non-underscore version calls into account(), and
returns false when it's not sufficiently full. I'm also not sure it
matters in the way you think it does; perhaps you could clarify what
you mean by "mistakenly stretching the entropy" and what you think
this enables.

> they are stretching the entropy, the risk is compounding errors and

Compounding errors? This doesn't make any sense.

> It would also be nice to have an explanation (in the patch or at least
> the commit message) about how entropy is preserved

That iterative hashing serves as a good entropy accumulator is
rigorously shown in the paper that the commit message references.

And either way, we never reseed the crng with more than 32 bytes, so
what's happening here is rather boring.

Thanks,
Jason