From: Greg KH <greg@kroah.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH 4.9] security/keys: rewrite all of big_key crypto
Date: Mon, 2 Oct 2017 13:07:03 +0200 [thread overview]
Message-ID: <20171002110703.GA13355@kroah.com> (raw)
In-Reply-To: <20171002105256.23071-1-Jason@zx2c4.com>
On Mon, Oct 02, 2017 at 12:52:56PM +0200, Jason A. Donenfeld wrote:
> commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.
>
> This started out as just replacing the use of crypto/rng with
> get_random_bytes_wait, so that we wouldn't use bad randomness at boot
> time. But, upon looking further, it appears that there were even deeper
> underlying cryptographic problems, and that this seems to have been
> committed with very little crypto review. So, I rewrote the whole thing,
> trying to keep to the conventions introduced by the previous author, to
> fix these cryptographic flaws.
>
> It makes no sense to seed crypto/rng at boot time and then keep
> using it like this, when in fact there's already get_random_bytes_wait,
> which can ensure there's enough entropy and be a much more standard way
> of generating keys. Since this sensitive material is being stored
> untrusted, using ECB and no authentication is simply not okay at all. I
> find it surprising and a bit horrifying that this code even made it past
> basic crypto review, which perhaps points to some larger issues. This
> patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
> generated each time, we can set the nonce to zero. There was also a race
> condition in which the same key would be reused at the same time in
> different threads. A mutex fixes this issue now.
>
> So, to summarize, this commit fixes the following vulnerabilities:
>
> * Low entropy key generation, allowing an attacker to potentially
> guess or predict keys.
> * Unauthenticated encryption, allowing an attacker to modify the
> cipher text in particular ways in order to manipulate the plaintext,
> which is is even more frightening considering the next point.
> * Use of ECB mode, allowing an attacker to trivially swap blocks or
> compare identical plaintext blocks.
> * Key re-use.
> * Faulty memory zeroing.
>
> [Note that in backporting this commit to 4.9, get_random_bytes_wait was
> replaced with get_random_bytes, since 4.9 does not have the former
> function. This might result in slightly worse entropy in key generation,
> but common use cases of big_keys makes that likely not a huge deal. And,
> this is the best we can do with this old kernel. Alas.]
Thanks for the backport, I've now taken this one instead.
greg k-h
prev parent reply other threads:[~2017-10-02 11:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 10:52 [PATCH 4.9] security/keys: rewrite all of big_key crypto Jason A. Donenfeld
2017-10-02 11:07 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171002110703.GA13355@kroah.com \
--to=greg@kroah.com \
--cc=Jason@zx2c4.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.