[src/netbsd-6]: src/sys/kern Pull up following revision(s) (requested by tls ...

[msaitoh <msaitoh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/add10e72e4b1
branches:  netbsd-6
changeset: 775739:add10e72e4b1
user:      msaitoh <msaitoh%NetBSD.org@localhost>
date:      Fri Mar 29 00:44:28 2013 +0000

description:
Pull up following revision(s) (requested by tls in ticket #859):
        sys/kern/subr_cprng.c: revision 1.16
Re-fix 'fix' for SA-2013-003.  Because the original fix evaluated a flag
backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key.  Output
from /dev/random was *NOT* impacted.
Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.
Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug.  Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.

diffstat:

 sys/kern/subr_cprng.c |  12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diffs (50 lines):

diff -r 09a26a41eec4 -r add10e72e4b1 sys/kern/subr_cprng.c
--- a/sys/kern/subr_cprng.c     Fri Mar 15 23:26:27 2013 +0000
+++ b/sys/kern/subr_cprng.c     Fri Mar 29 00:44:28 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_cprng.c,v 1.5.2.7 2013/01/26 21:35:23 bouyer Exp $ */
+/*     $NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include <sys/cprng.h>
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.7 2013/01/26 21:35:23 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $");
 
 void
 cprng_init(void)
@@ -157,11 +157,11 @@
 }
 
 static size_t
-cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+cprng_entropy_try(uint8_t *key, size_t keylen)
 {
        int r;
        r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
-       if (r != keylen && !hard) {
+       if (r != keylen) {      /* Always fill in, for safety */
                rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
        }
        return r;
@@ -196,7 +196,7 @@
 
        selinit(&c->selq);
 
-       r = cprng_entropy_try(key, sizeof(key), c->flags & CPRNG_INIT_ANY);
+       r = cprng_entropy_try(key, sizeof(key));
        if (r != sizeof(key)) {
                if (c->flags & CPRNG_INIT_ANY) {
 #ifdef DEBUG
@@ -251,7 +251,7 @@
                if (c->flags & CPRNG_REKEY_ANY) {
                        uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
 
-                       if (cprng_entropy_try(key, sizeof(key), 0) !=
+                       if (cprng_entropy_try(key, sizeof(key)) !=
                            sizeof(key)) {
                                printf("cprng %s: WARNING "
                                       "pseudorandom rekeying.\n", c->name);