lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121106120523.GA2805@hmsreliant.think-freely.org>
Date:	Tue, 6 Nov 2012 07:05:23 -0500
From:	Neil Horman <nhorman@...driver.com>
To:	Jarod Wilson <jarod@...hat.com>
Cc:	linux-kernel@...r.kernel.org,
	Herbert Xu <herbert@...dor.hengli.com.au>,
	"David S. Miller" <davem@...emloft.net>,
	Matt Mackall <mpm@...enic.com>, linux-crypto@...r.kernel.org
Subject: Re: [PATCH] random: prime last_data value per fips requirements

On Mon, Nov 05, 2012 at 04:00:10PM -0500, Jarod Wilson wrote:
> The value stored in last_data must be primed for FIPS 140-2 purposes. Upon
> first use, either on system startup or after an RNDCLEARPOOL ioctl, we
> need to take an initial random sample, store it internally in last_data,
> then pass along the value after that to the requester, so that consistency
> checks aren't being run against stale and possibly known data.
> 
> CC: Herbert Xu <herbert@...dor.apana.org.au>
> CC: "David S. Miller" <davem@...emloft.net>
> CC: Neil Horman <nhorman@...driver.com>
> CC: Matt Mackall <mpm@...enic.com>
> CC: linux-crypto@...r.kernel.org
> Signed-off-by: Jarod Wilson <jarod@...hat.com>
> ---
>  drivers/char/random.c |   11 +++++++++++
>  1 files changed, 11 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index b86eae9..24d17b8 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -437,6 +437,7 @@ struct entropy_store {
>  	int entropy_count;
>  	int entropy_total;
>  	unsigned int initialized:1;
> +	bool last_data_init;
>  	__u8 last_data[EXTRACT_SIZE];
>  };
>  
> @@ -967,6 +968,15 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
>  		if (fips_enabled) {
>  			unsigned long flags;
>  
> +			/* prime last_data value if need be, per fips 140-2 */
> +			if (!r->last_data_init) {
> +				spin_lock_irqsave(&r->lock, flags);
> +				memcpy(r->last_data, tmp, EXTRACT_SIZE);
> +				r->last_data_init = true;
> +				spin_unlock_irqrestore(&r->lock, flags);
> +				continue;
Continue?  Is that left over from earlier work?  Or did you have some other
purpose in mind for it?

Also, not that its in a hot path or anything, but it might be nice to
consolodate this code such that you only lock and unlock r->flags once instead
of twice here.

Best
Neil

> +			}
> +
>  			spin_lock_irqsave(&r->lock, flags);
>  			if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
>  				panic("Hardware RNG duplicated output!\n");
> @@ -1086,6 +1096,7 @@ static void init_std_data(struct entropy_store *r)
>  
>  	r->entropy_count = 0;
>  	r->entropy_total = 0;
> +	r->last_data_init = false;
>  	mix_pool_bytes(r, &now, sizeof(now), NULL);
>  	for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
>  		if (!arch_get_random_long(&rv))
> -- 
> 1.7.1
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ