lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 26 Nov 2021 13:31:05 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Nicolai Stange <nstange@...e.de>
Cc:     Stephan Müller <smueller@...onox.de>,
        "David S. Miller" <davem@...emloft.net>,
        Torsten Duwe <duwe@...e.de>, linux-crypto@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/6] crypto: DRBG - improve 'nopr' reseeding

On Mon, Nov 15, 2021 at 03:18:03PM +0100, Nicolai Stange wrote:
> Hi all,
> 
> v1 can be found here:
> 
>   https://lore.kernel.org/r/20211025092525.12805-1-nstange@suse.de
> 
> The changes between v1 and v2 are summarized below.
> 
> 
> Cover letter reproduced 1:1 from v1:
> 
> This patchset aims at (hopefully) improving the DRBG code related to
> reseeding from get_random_bytes() a bit:
> - Replace the asynchronous random_ready_callback based DRBG reseeding
>   logic with a synchronous solution leveraging rng_is_initialized(). This
>   move simplifies the code IMO and, as a side-effect, would enable DRBG
>   users to rely on wait_for_random_bytes() to sync properly with
>   drbg_generate(), if desired. Implemented by patches 1-5/6.
> - Make the 'nopr' DRBGs to reseed themselves every 5min from
>   get_random_bytes(). This achieves at least kind of a partial prediction
>   resistance over the time domain at almost no extra cost. Implemented
>   by patch 6/6, the preceding patches in this series are a prerequisite
>   for this.
> 
> Tested with and without fips_enabled in a x86_64 VM, both with
> random.trust_cpu=on and off. As confirmed with a couple of debugging
> printks() (added for testing only, not included in this series), DRBGs
> have been instantiated with and without rng_is_initialized() evaluating
> to true each during my tests and the patched DRBG reseeding code worked as
> intended in either case.
> 
> Applies to current herbert/cryptodev-2.6.git master.
> 
> 
> Changes between v1 and v2:
> - 4/6: remove redundant goto statement, spotted by Stephan.
> 
> For the unmodified rest, I added Stephan's Reviewed-bys he granted in
> reply to v1.
> 
> Many thanks for your comments and remarks!
> 
> Nicolai
> 
> Nicolai Stange (6):
>   crypto: DRBG - prepare for more fine-grained tracking of seeding state
>   crypto: DRBG - track whether DRBG was seeded with
>     !rng_is_initialized()
>   crypto: DRBG - move dynamic ->reseed_threshold adjustments to
>     __drbg_seed()
>   crypto: DRBG - make reseeding from get_random_bytes() synchronous
>   crypto: DRBG - make drbg_prepare_hrng() handle jent instantiation
>     errors
>   crypto: DRBG - reseed 'nopr' drbgs periodically from
>     get_random_bytes()
> 
>  crypto/drbg.c         | 143 +++++++++++++++++++++---------------------
>  include/crypto/drbg.h |  11 +++-
>  2 files changed, 80 insertions(+), 74 deletions(-)

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ