From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
David Miller <davem@davemloft.net>,
Eric Biggers <ebiggers3@gmail.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH v4 02/13] random: add synchronous API for the urandom pool
Date: Tue, 6 Jun 2017 19:47:53 +0200 [thread overview]
Message-ID: <20170606174804.31124-3-Jason@zx2c4.com> (raw)
In-Reply-To: <20170606174804.31124-1-Jason@zx2c4.com>
This enables users of get_random_{bytes,u32,u64,int,long} to wait until
the pool is ready before using this function, in case they actually want
to have reliable randomness.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
drivers/char/random.c | 41 +++++++++++++++++++++++++++++++----------
include/linux/random.h | 1 +
2 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 2291e6224ed3..36cdb2406610 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -851,11 +851,6 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
spin_unlock_irqrestore(&primary_crng.lock, flags);
}
-static inline void crng_wait_ready(void)
-{
- wait_event_interruptible(crng_init_wait, crng_ready());
-}
-
static void _extract_crng(struct crng_state *crng,
__u8 out[CHACHA20_BLOCK_SIZE])
{
@@ -1473,7 +1468,10 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
* number of good random numbers, suitable for key generation, seeding
* TCP sequence numbers, etc. It does not rely on the hardware random
* number generator. For random bytes direct from the hardware RNG
- * (when available), use get_random_bytes_arch().
+ * (when available), use get_random_bytes_arch(). In order to ensure
+ * that the randomness provided by this function is okay, the function
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
*/
void get_random_bytes(void *buf, int nbytes)
{
@@ -1503,6 +1501,24 @@ void get_random_bytes(void *buf, int nbytes)
EXPORT_SYMBOL(get_random_bytes);
/*
+ * Wait for the urandom pool to be seeded and thus guaranteed to supply
+ * cryptographically secure random numbers. This applies to: the /dev/urandom
+ * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
+ * family of functions. Using any of these functions without first calling
+ * this function forfeits the guarantee of security.
+ *
+ * Returns: 0 if the urandom pool has been seeded.
+ * -ERESTARTSYS if the function was interrupted by a signal.
+ */
+int wait_for_random_bytes(void)
+{
+ if (likely(crng_ready()))
+ return 0;
+ return wait_event_interruptible(crng_init_wait, crng_ready());
+}
+EXPORT_SYMBOL(wait_for_random_bytes);
+
+/*
* Add a callback function that will be invoked when the nonblocking
* pool is initialised.
*
@@ -1856,6 +1872,8 @@ const struct file_operations urandom_fops = {
SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
unsigned int, flags)
{
+ int ret;
+
if (flags & ~(GRND_NONBLOCK|GRND_RANDOM))
return -EINVAL;
@@ -1868,9 +1886,9 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
if (!crng_ready()) {
if (flags & GRND_NONBLOCK)
return -EAGAIN;
- crng_wait_ready();
- if (signal_pending(current))
- return -ERESTARTSYS;
+ ret = wait_for_random_bytes();
+ if (unlikely(ret))
+ return ret;
}
return urandom_read(NULL, buf, count, NULL);
}
@@ -2031,7 +2049,10 @@ static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_
/*
* Get a random word for internal kernel use only. The quality of the random
* number is either as good as RDRAND or as good as /dev/urandom, with the
- * goal of being quite fast and not depleting entropy.
+ * goal of being quite fast and not depleting entropy. In order to ensure
+ * that the randomness provided by this function is okay, the function
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
*/
static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
u64 get_random_u64(void)
diff --git a/include/linux/random.h b/include/linux/random.h
index ed5c3838780d..e29929347c95 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -34,6 +34,7 @@ extern void add_input_randomness(unsigned int type, unsigned int code,
extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
extern void get_random_bytes(void *buf, int nbytes);
+extern int wait_for_random_bytes(void);
extern int add_random_ready_callback(struct random_ready_callback *rdy);
extern void del_random_ready_callback(struct random_ready_callback *rdy);
extern void get_random_bytes_arch(void *buf, int nbytes);
--
2.13.0
next prev parent reply other threads:[~2017-06-06 17:48 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 17:47 [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 01/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 23:58 ` Theodore Ts'o
2017-06-08 0:52 ` Jason A. Donenfeld
2017-06-06 17:47 ` Jason A. Donenfeld [this message]
2017-06-08 0:00 ` [PATCH v4 02/13] random: add synchronous API for the urandom pool Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 03/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-08 0:05 ` [kernel-hardening] " Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 04/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-08 0:31 ` Theodore Ts'o
2017-06-08 0:50 ` Jason A. Donenfeld
2017-06-08 1:03 ` Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 05/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-08 0:41 ` [kernel-hardening] " Theodore Ts'o
2017-06-08 0:47 ` Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 06/13] iscsi: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-08 2:43 ` Theodore Ts'o
2017-06-08 12:09 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-16 21:58 ` Lee Duncan
2017-06-17 0:41 ` Jason A. Donenfeld
2017-06-17 3:45 ` Lee Duncan
2017-06-17 14:23 ` Jeffrey Walton
2017-06-17 18:50 ` [kernel-hardening] " Paul Koning
2017-07-05 7:08 ` Antw: Re: [kernel-hardening] " Ulrich Windl
2017-07-05 13:16 ` Paul Koning
2017-07-05 17:34 ` Theodore Ts'o
2017-06-18 8:04 ` Stephan Müller
2017-06-26 1:23 ` Nicholas A. Bellinger
2017-06-26 17:38 ` Stephan Müller
2017-06-30 6:02 ` Nicholas A. Bellinger
2017-07-05 7:03 ` Antw: " Ulrich Windl
2017-07-05 12:35 ` Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-08 2:45 ` [kernel-hardening] " Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-08 0:25 ` [kernel-hardening] " Theodore Ts'o
2017-06-08 0:31 ` Jason A. Donenfeld
2017-06-08 0:34 ` Jason A. Donenfeld
2017-06-06 17:48 ` [PATCH v4 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-08 2:47 ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-08 3:00 ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-08 3:01 ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-08 3:06 ` Theodore Ts'o
2017-06-08 5:04 ` Marcel Holtmann
2017-06-08 12:03 ` Jason A. Donenfeld
2017-06-08 12:05 ` Jason A. Donenfeld
2017-06-08 17:05 ` Marcel Holtmann
2017-06-08 17:34 ` Jason A. Donenfeld
2017-06-09 1:16 ` [PATCH] bluetooth: ensure RNG is properly seeded before powerup Jason A. Donenfeld
2017-06-06 17:48 ` [PATCH v4 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-08 8:19 ` Theodore Ts'o
2017-06-08 12:01 ` Jason A. Donenfeld
2017-06-15 11:03 ` [kernel-hardening] " Michael Ellerman
2017-06-15 11:59 ` Stephan Müller
2017-06-18 15:46 ` Theodore Ts'o
2017-06-18 17:55 ` Stephan Müller
2017-06-18 19:12 ` Jason A. Donenfeld
2017-06-18 19:11 ` Jason A. Donenfeld
2017-06-08 8:43 ` Jeffrey Walton
2017-06-07 12:33 ` [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170606174804.31124-3-Jason@zx2c4.com \
--to=jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox