Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern Re-fix 'fix' for SA-2013-003. Because the original...
details: https://anonhg.NetBSD.org/src/rev/ddb78770ad71
branches: trunk
changeset: 785738:ddb78770ad71
user: tls <tls%NetBSD.org@localhost>
date: Thu Mar 28 18:06:48 2013 +0000
description:
Re-fix 'fix' for SA-2013-003. Because the original fix evaluated a flag
backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key. Output
from /dev/random was *NOT* impacted.
Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.
Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug. Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.
diffstat:
sys/kern/subr_cprng.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diffs (50 lines):
diff -r acd543fe0048 -r ddb78770ad71 sys/kern/subr_cprng.c
--- a/sys/kern/subr_cprng.c Thu Mar 28 17:25:10 2013 +0000
+++ b/sys/kern/subr_cprng.c Thu Mar 28 18:06:48 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_cprng.c,v 1.15 2013/01/26 16:05:34 tls Exp $ */
+/* $NetBSD: subr_cprng.c,v 1.16 2013/03/28 18:06:48 tls Exp $ */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
#include <sys/cprng.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.15 2013/01/26 16:05:34 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.16 2013/03/28 18:06:48 tls Exp $");
void
cprng_init(void)
@@ -157,11 +157,11 @@
}
static size_t
-cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+cprng_entropy_try(uint8_t *key, size_t keylen)
{
int r;
r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
- if (r != keylen && !hard) {
+ if (r != keylen) { /* Always fill in, for safety */
rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
}
return r;
@@ -196,7 +196,7 @@
selinit(&c->selq);
- r = cprng_entropy_try(key, sizeof(key), c->flags & CPRNG_INIT_ANY);
+ r = cprng_entropy_try(key, sizeof(key));
if (r != sizeof(key)) {
if (c->flags & CPRNG_INIT_ANY) {
#ifdef DEBUG
@@ -251,7 +251,7 @@
if (c->flags & CPRNG_REKEY_ANY) {
uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
- if (cprng_entropy_try(key, sizeof(key), 0) !=
+ if (cprng_entropy_try(key, sizeof(key)) !=
sizeof(key)) {
printf("cprng %s: WARNING "
"pseudorandom rekeying.\n", c->name);
Home |
Main Index |
Thread Index |
Old Index