[PATCH v4 04/13] security/keys: ensure RNG is seeded before use

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	kernel-hardening@lists.openwall.com,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	David Miller <davem@davemloft.net>,
	Eric Biggers <ebiggers3@gmail.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
	David Howells <dhowells@redhat.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	David Safford <safford@us.ibm.com>
Subject: [PATCH v4 04/13] security/keys: ensure RNG is seeded before use
Date: Tue,  6 Jun 2017 19:47:55 +0200	[thread overview]
Message-ID: <20170606174804.31124-5-Jason@zx2c4.com> (raw)
In-Reply-To: <20170606174804.31124-1-Jason@zx2c4.com>

Otherwise, we might use bad random numbers which, particularly in the
case of IV generation, could be quite bad. It makes sense to use the
synchronous API here, because we're always in process context (as the
code is littered with GFP_KERNEL and the like). However, we can't change
to using a blocking function in key serial allocation, because this will
block booting in some configurations, so here we use the more
appropriate get_random_u32, which will use RDRAND if available.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
---
 security/keys/encrypted-keys/encrypted.c |  8 +++++---
 security/keys/key.c                      | 16 ++++++++--------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 0010955d7876..d51a28fc5cd5 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -777,10 +777,12 @@ static int encrypted_init(struct encrypted_key_payload *epayload,
 
 	__ekey_init(epayload, format, master_desc, datalen);
 	if (!hex_encoded_iv) {
-		get_random_bytes(epayload->iv, ivsize);
+		ret = get_random_bytes_wait(epayload->iv, ivsize);
+		if (unlikely(ret))
+			return ret;
 
-		get_random_bytes(epayload->decrypted_data,
-				 epayload->decrypted_datalen);
+		ret = get_random_bytes_wait(epayload->decrypted_data,
+					    epayload->decrypted_datalen);
 	} else
 		ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
 	return ret;
diff --git a/security/keys/key.c b/security/keys/key.c
index 455c04d80bbb..b72078e532f2 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -134,17 +134,15 @@ void key_user_put(struct key_user *user)
  * Allocate a serial number for a key.  These are assigned randomly to avoid
  * security issues through covert channel problems.
  */
-static inline void key_alloc_serial(struct key *key)
+static inline int key_alloc_serial(struct key *key)
 {
 	struct rb_node *parent, **p;
 	struct key *xkey;
 
-	/* propose a random serial number and look for a hole for it in the
-	 * serial number tree */
+	/* propose a non-negative random serial number and look for a hole for
+	 * it in the serial number tree */
 	do {
-		get_random_bytes(&key->serial, sizeof(key->serial));
-
-		key->serial >>= 1; /* negative numbers are not permitted */
+		key->serial = get_random_u32() >> 1;
 	} while (key->serial < 3);
 
 	spin_lock(&key_serial_lock);
@@ -170,7 +168,7 @@ static inline void key_alloc_serial(struct key *key)
 	rb_insert_color(&key->serial_node, &key_serial_tree);
 
 	spin_unlock(&key_serial_lock);
-	return;
+	return 0;
 
 	/* we found a key with the proposed serial number - walk the tree from
 	 * that point looking for the next unused serial number */
@@ -314,7 +312,9 @@ struct key *key_alloc(struct key_type *type, const char *desc,
 
 	/* publish the key by giving it a serial number */
 	atomic_inc(&user->nkeys);
-	key_alloc_serial(key);
+	ret = key_alloc_serial(key);
+	if (ret < 0)
+		goto security_error;
 
 error:
 	return key;
-- 
2.13.0

next prev parent reply	other threads:[~2017-06-06 17:48 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-06 17:47 [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 01/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 23:58   ` Theodore Ts'o
2017-06-08  0:52     ` Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 02/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-08  0:00   ` Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 03/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-08  0:05   ` [kernel-hardening] " Theodore Ts'o
2017-06-06 17:47 ` Jason A. Donenfeld [this message]
2017-06-08  0:31   ` [PATCH v4 04/13] security/keys: ensure RNG is seeded before use Theodore Ts'o
2017-06-08  0:50     ` Jason A. Donenfeld
2017-06-08  1:03       ` Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 05/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-08  0:41   ` [kernel-hardening] " Theodore Ts'o
2017-06-08  0:47     ` Jason A. Donenfeld
2017-06-06 17:47 ` [PATCH v4 06/13] iscsi: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-08  2:43   ` Theodore Ts'o
2017-06-08 12:09     ` [kernel-hardening] " Jason A. Donenfeld
2017-06-16 21:58       ` Lee Duncan
2017-06-17  0:41         ` Jason A. Donenfeld
2017-06-17  3:45           ` Lee Duncan
2017-06-17 14:23             ` Jeffrey Walton
2017-06-17 18:50               ` [kernel-hardening] " Paul Koning
2017-07-05  7:08               ` Antw: Re: [kernel-hardening] " Ulrich Windl
2017-07-05 13:16                 ` Paul Koning
2017-07-05 17:34                   ` Theodore Ts'o
2017-06-18  8:04             ` Stephan Müller
2017-06-26  1:23               ` Nicholas A. Bellinger
2017-06-26 17:38                 ` Stephan Müller
2017-06-30  6:02                   ` Nicholas A. Bellinger
2017-07-05  7:03                   ` Antw: " Ulrich Windl
2017-07-05 12:35                     ` Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-08  2:45   ` [kernel-hardening] " Theodore Ts'o
2017-06-06 17:47 ` [PATCH v4 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-08  0:25   ` [kernel-hardening] " Theodore Ts'o
2017-06-08  0:31     ` Jason A. Donenfeld
2017-06-08  0:34     ` Jason A. Donenfeld
2017-06-06 17:48 ` [PATCH v4 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-08  2:47   ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-08  3:00   ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-08  3:01   ` Theodore Ts'o
2017-06-06 17:48 ` [PATCH v4 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-08  3:06   ` Theodore Ts'o
2017-06-08  5:04     ` Marcel Holtmann
2017-06-08 12:03       ` Jason A. Donenfeld
2017-06-08 12:05       ` Jason A. Donenfeld
2017-06-08 17:05         ` Marcel Holtmann
2017-06-08 17:34           ` Jason A. Donenfeld
2017-06-09  1:16             ` [PATCH] bluetooth: ensure RNG is properly seeded before powerup Jason A. Donenfeld
2017-06-06 17:48 ` [PATCH v4 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-08  8:19   ` Theodore Ts'o
2017-06-08 12:01     ` Jason A. Donenfeld
2017-06-15 11:03     ` [kernel-hardening] " Michael Ellerman
2017-06-15 11:59       ` Stephan Müller
2017-06-18 15:46         ` Theodore Ts'o
2017-06-18 17:55           ` Stephan Müller
2017-06-18 19:12             ` Jason A. Donenfeld
2017-06-18 19:11           ` Jason A. Donenfeld
2017-06-08  8:43   ` Jeffrey Walton
2017-06-07 12:33 ` [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0010955d787 dfblob:d51a28fc5cd dfblob:455c04d80bb
dfblob:b72078e532f )
 OR (
bs:"[PATCH v4 04/13] security/keys: ensure RNG is seeded before use" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170606174804.31124-5-Jason@zx2c4.com \
    --to=jason@zx2c4.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=ebiggers3@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=safford@us.ibm.com \
    --cc=tytso@mit.edu \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox