From patchwork Wed May 4 19:25:51 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 9017961 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7B6F59F30C for ; Wed, 4 May 2016 19:27:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 98E39203C1 for ; Wed, 4 May 2016 19:27:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B80D3203C0 for ; Wed, 4 May 2016 19:27:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753798AbcEDT1a (ORCPT ); Wed, 4 May 2016 15:27:30 -0400 Received: from imap.thunk.org ([74.207.234.97]:46914 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753221AbcEDT0G (ORCPT ); Wed, 4 May 2016 15:26:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=Xq/fIHhpVQkYt4cpYTFWnSbKsrSlgcbCXNrjzPuhylk=; b=rD/5IsolxHtTzsuAqf/mm1tgZkOGaudsOk7a0w3sZTJtmLoAqmKhqYdHuwSEmpEqq0UqXEytY+bpzU1YZKx2uOlF9snYzO7xdnhtoy4la0bRu8M3L7OcpzvLXA48txe5pFanQ3FhF5HIx44BKiXvLwYA3I699JhCW0xHn4mGHWM=; Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.84_2) (envelope-from ) id 1ay2Qn-0007E0-3y; Wed, 04 May 2016 19:25:57 +0000 Received: by closure.thunk.org (Postfix, from userid 15806) id 92CBA82015F; Wed, 4 May 2016 15:25:56 -0400 (EDT) From: Theodore Ts'o To: Linux Kernel Developers List Cc: smueller@chronox.de, herbert@gondor.apana.org.au, andi@firstfloor.org, sandyinchina@gmail.com, cryptography@lakedaemon.net, jsd@av8n.com, hpa@zytor.com, linux-crypto@vger.kernel.org, Theodore Ts'o Subject: [PATCH 4/4] random: add backtracking protection to the CRNG Date: Wed, 4 May 2016 15:25:51 -0400 Message-Id: <1462389951-29439-5-git-send-email-tytso@mit.edu> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1462389951-29439-1-git-send-email-tytso@mit.edu> References: <1462389951-29439-1-git-send-email-tytso@mit.edu> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-8.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Signed-off-by: Theodore Ts'o --- drivers/char/random.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 897c75e..028d085 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -886,6 +886,34 @@ static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE]) #endif } +/* + * Use the leftover bytes from the CRNG block output (if there is + * enough) to mutate the CRNG key to provide backtracking protection. + */ +static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int unused) +{ +#ifdef CONFIG_NUMA + struct crng_state *crng = crng_node_pool[numa_node_id()]; +#else + struct crng_state *crng = &primary_crng; +#endif + unsigned long flags; + __u32 *s, *d; + int i; + + unused = round_up(unused, sizeof(__u32)); + if (unused + CHACHA20_KEY_SIZE > CHACHA20_BLOCK_SIZE) { + extract_crng(tmp); + unused = 0; + } + spin_lock_irqsave(&crng->lock, flags); + s = (__u32 *) &tmp[unused]; + d = &crng->state[4]; + for (i=0; i < 8; i++) + *d++ ^= *s++; + spin_unlock_irqrestore(&crng->lock, flags); +} + static ssize_t extract_crng_user(void __user *buf, size_t nbytes) { ssize_t ret = 0, i; @@ -913,6 +941,7 @@ static ssize_t extract_crng_user(void __user *buf, size_t nbytes) buf += i; ret += i; } + crng_backtrack_protect(tmp, i); /* Wipe data just written to memory */ memzero_explicit(tmp, sizeof(tmp)); @@ -1457,8 +1486,10 @@ void get_random_bytes(void *buf, int nbytes) if (nbytes > 0) { extract_crng(tmp); memcpy(buf, tmp, nbytes); - memzero_explicit(tmp, nbytes); - } + crng_backtrack_protect(tmp, nbytes); + } else + crng_backtrack_protect(tmp, 0); + memzero_explicit(tmp, sizeof(tmp)); } EXPORT_SYMBOL(get_random_bytes);