lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 20 Aug 2020 06:42:23 +0200
From:   Sedat Dilek <sedat.dilek@...il.com>
To:     Willy Tarreau <w@....eu>
Cc:     Eric Dumazet <edumazet@...gle.com>, George Spelvin <lkml@....org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Amit Klein <aksecurity@...il.com>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        Andy Lutomirski <luto@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Peter Zijlstra <peterz@...radead.org>, netdev@...r.kernel.org
Subject: Re: [DRAFT PATCH] random32: make prandom_u32() output unpredictable

On Thu, Aug 20, 2020 at 6:33 AM Willy Tarreau <w@....eu> wrote:
>
> On Thu, Aug 20, 2020 at 05:05:49AM +0200, Sedat Dilek wrote:
> > We have the same defines for K0 and K1 in include/linux/prandom.h and
> > lib/random32.c?
> > More room for simplifications?
>
> Definitely, I'm not surprized at all. As I said, the purpose was to
> discuss around the proposal, not much more. If we think it's the way
> to go, some major lifting is required. I just don't want to invest
> significant time on this if nobody cares.
>

OK.

Right now, I will try with the attached diff.

Unclear to me where this modpost "net_rand_noise" undefined! comes from.
Any hints?

- Sedat -

[ prandom-siphash-noise-wtarreau-20200816-dileks.diff ]

diff --git a/drivers/staging/rtl8188eu/include/rtw_security.h
b/drivers/staging/rtl8188eu/include/rtw_security.h
index 8ba02a7cea60..5cbb6fec71cd 100644
--- a/drivers/staging/rtl8188eu/include/rtw_security.h
+++ b/drivers/staging/rtl8188eu/include/rtw_security.h
@@ -221,6 +221,9 @@ do {
                         \
 #define ROL32(A, n)    (((A) << (n)) | (((A) >> (32 - (n)))  & ((1UL
<< (n)) - 1)))
 #define ROR32(A, n)    ROL32((A), 32 - (n))

+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
 struct mic_data {
        u32  K0, K1;         /*  Key */
        u32  L, R;           /*  Current state */
diff --git a/drivers/staging/rtl8712/rtl871x_security.h
b/drivers/staging/rtl8712/rtl871x_security.h
index b2dda16cbd0a..d4ffb31d9d14 100644
--- a/drivers/staging/rtl8712/rtl871x_security.h
+++ b/drivers/staging/rtl8712/rtl871x_security.h
@@ -188,6 +188,9 @@ do {\
 #define ROL32(A, n) (((A) << (n)) | (((A)>>(32-(n)))  & ((1UL << (n)) - 1)))
 #define ROR32(A, n) ROL32((A), 32 - (n))

+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
 struct mic_data {
        u32  K0, K1;         /* Key */
        u32  L, R;           /* Current state */
diff --git a/drivers/staging/rtl8723bs/include/rtw_security.h
b/drivers/staging/rtl8723bs/include/rtw_security.h
index 514c0799c34b..260ca9f29a35 100644
--- a/drivers/staging/rtl8723bs/include/rtw_security.h
+++ b/drivers/staging/rtl8723bs/include/rtw_security.h
@@ -271,6 +271,9 @@ do {\
 #define ROL32(A, n)    (((A) << (n)) | (((A)>>(32-(n)))  & ((1UL << (n)) - 1)))
 #define ROR32(A, n)    ROL32((A), 32-(n))

+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
 struct mic_data {
        u32  K0, K1;         /*  Key */
        u32  L, R;           /*  Current state */
diff --git a/include/linux/prandom.h b/include/linux/prandom.h
index 95d73b01d8c5..efebcff3c93d 100644
--- a/include/linux/prandom.h
+++ b/include/linux/prandom.h
@@ -32,6 +32,11 @@ DECLARE_PER_CPU(unsigned long, net_rand_noise);
        v1 ^= v0, v0 = rol64(v0, 32),  v3 ^= v2,                     \
        v0 += v3, v3 = rol64(v3, 21),  v2 += v1, v1 = rol64(v1, 17), \
        v3 ^= v0,                      v1 ^= v2, v2 = rol64(v2, 32)  )
+#define SIPROUND(v0,v1,v2,v3) ( \
+       v0 += v1, v1 = rol64(v1, 13),  v2 += v3, v3 = rol64(v3, 16), \
+       v1 ^= v0, v0 = rol64(v0, 32),  v3 ^= v2,                     \
+       v0 += v3, v3 = rol64(v3, 21),  v2 += v1, v1 = rol64(v1, 17), \
+       v3 ^= v0,                      v1 ^= v2, v2 = rol64(v2, 32)  )
 #define K0 (0x736f6d6570736575 ^ 0x6c7967656e657261 )
 #define K1 (0x646f72616e646f6d ^ 0x7465646279746573 )

@@ -46,6 +51,11 @@ DECLARE_PER_CPU(unsigned long, net_rand_noise);
        v1 ^= v0, v0 = rol32(v0, 16),  v3 ^= v2,                     \
        v0 += v3, v3 = rol32(v3,  7),  v2 += v1, v1 = rol32(v1, 13), \
        v3 ^= v0,                      v1 ^= v2, v2 = rol32(v2, 16)  )
+#define SIPROUND(v0,v1,v2,v3) ( \
+       v0 += v1, v1 = rol32(v1,  5),  v2 += v3, v3 = rol32(v3,  8), \
+       v1 ^= v0, v0 = rol32(v0, 16),  v3 ^= v2,                     \
+       v0 += v3, v3 = rol32(v3,  7),  v2 += v1, v1 = rol32(v1, 13), \
+       v3 ^= v0,                      v1 ^= v2, v2 = rol32(v2, 16)  )
 #define K0 0x6c796765
 #define K1 0x74656462

diff --git a/lib/random32.c b/lib/random32.c
index 93f0cd3a67ee..f24c7a0febf0 100644
--- a/lib/random32.c
+++ b/lib/random32.c
@@ -323,37 +323,6 @@ struct siprand_state {
 static DEFINE_PER_CPU(struct siprand_state, net_rand_state) __latent_entropy;
 DEFINE_PER_CPU(unsigned long, net_rand_noise);

-#if BITS_PER_LONG == 64
-/*
- * The core SipHash round function.  Each line can be executed in
- * parallel given enough CPU resources.
- */
-#define SIPROUND(v0,v1,v2,v3) ( \
-       v0 += v1, v1 = rol64(v1, 13),  v2 += v3, v3 = rol64(v3, 16), \
-       v1 ^= v0, v0 = rol64(v0, 32),  v3 ^= v2,                     \
-       v0 += v3, v3 = rol64(v3, 21),  v2 += v1, v1 = rol64(v1, 17), \
-       v3 ^= v0,                      v1 ^= v2, v2 = rol64(v2, 32)  )
-#define K0 (0x736f6d6570736575 ^ 0x6c7967656e657261 )
-#define K1 (0x646f72616e646f6d ^ 0x7465646279746573 )
-
-#elif BITS_PER_LONG == 32
-/*
- * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash.
- * This is weaker, but 32-bit machines are not used for high-traffic
- * applications, so there is less output for an attacker to analyze.
- */
-#define SIPROUND(v0,v1,v2,v3) ( \
-       v0 += v1, v1 = rol32(v1,  5),  v2 += v3, v3 = rol32(v3,  8), \
-       v1 ^= v0, v0 = rol32(v0, 16),  v3 ^= v2,                     \
-       v0 += v3, v3 = rol32(v3,  7),  v2 += v1, v1 = rol32(v1, 13), \
-       v3 ^= v0,                      v1 ^= v2, v2 = rol32(v2, 16)  )
-#define K0 0x6c796765
-#define K1 0x74656462
-
-#else
-#error Unsupported BITS_PER_LONG
-#endif
-
 /*
  * This is the core CPRNG function.  As "pseudorandom", this is not used
  * for truly valuable things, just intended to be a PITA to guess.

- EOF -

Powered by blists - more mailing lists