[src/trunk]: src/sys/kern Re-fix 'fix' for SA-2013-003. Because the original...

[tls <tls%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ddb78770ad71
branches:  trunk
changeset: 785738:ddb78770ad71
user:      tls <tls%NetBSD.org@localhost>
date:      Thu Mar 28 18:06:48 2013 +0000

description:
Re-fix 'fix' for SA-2013-003.  Because the original fix evaluated a flag
backwards, in low-entropy conditions there was a time interval in which
/dev/urandom could still output bits on an unacceptably short key.  Output
from /dev/random was *NOT* impacted.

Eliminate the flag in question -- it's safest to always fill the requested
key buffer with output from the entropy-pool, even if we let the caller
know we couldn't provide bytes with the full entropy it requested.

Advisory will be updated soon with a full worst-case analysis of the
/dev/urandom output path in the presence of either variant of the
SA-2013-003 bug.  Fortunately, because a large amount of other input
is mixed in before users can obtain any output, it doesn't look as dangerous
in practice as I'd feared it might be.

diffstat:

 sys/kern/subr_cprng.c |  12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diffs (50 lines):

diff -r acd543fe0048 -r ddb78770ad71 sys/kern/subr_cprng.c
--- a/sys/kern/subr_cprng.c     Thu Mar 28 17:25:10 2013 +0000
+++ b/sys/kern/subr_cprng.c     Thu Mar 28 18:06:48 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_cprng.c,v 1.15 2013/01/26 16:05:34 tls Exp $ */
+/*     $NetBSD: subr_cprng.c,v 1.16 2013/03/28 18:06:48 tls Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include <sys/cprng.h>
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.15 2013/01/26 16:05:34 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.16 2013/03/28 18:06:48 tls Exp $");
 
 void
 cprng_init(void)
@@ -157,11 +157,11 @@
 }
 
 static size_t
-cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+cprng_entropy_try(uint8_t *key, size_t keylen)
 {
        int r;
        r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
-       if (r != keylen && !hard) {
+       if (r != keylen) {      /* Always fill in, for safety */
                rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
        }
        return r;
@@ -196,7 +196,7 @@
 
        selinit(&c->selq);
 
-       r = cprng_entropy_try(key, sizeof(key), c->flags & CPRNG_INIT_ANY);
+       r = cprng_entropy_try(key, sizeof(key));
        if (r != sizeof(key)) {
                if (c->flags & CPRNG_INIT_ANY) {
 #ifdef DEBUG
@@ -251,7 +251,7 @@
                if (c->flags & CPRNG_REKEY_ANY) {
                        uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
 
-                       if (cprng_entropy_try(key, sizeof(key), 0) !=
+                       if (cprng_entropy_try(key, sizeof(key)) !=
                            sizeof(key)) {
                                printf("cprng %s: WARNING "
                                       "pseudorandom rekeying.\n", c->name);