From: Daniel Borkmann <dborkman@redhat.com>
To: davem@davemloft.net
Cc: shemminger@networkplumber.org, fweimer@redhat.com,
netdev@vger.kernel.org,
Stephen Hemminger <stephen@networkplumber.org>,
"Theodore Ts'o" <tytso@mit.edu>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
Subject: [PATCH net-next 1/6] random32: fix off-by-one in seeding requirement
Date: Mon, 11 Nov 2013 12:20:32 +0100 [thread overview]
Message-ID: <9b88904fc7821fb8db2829a2bc0ac4df641d0387.1384160397.git.dborkman@redhat.com> (raw)
In-Reply-To: <cover.1384160397.git.dborkman@redhat.com>
In-Reply-To: <cover.1384160397.git.dborkman@redhat.com>
For properly initialising the Tausworthe generator [1], we have
a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15.
Commit 697f8d0348 ("random32: seeding improvement") introduced
a __seed() function that imposes boundary checks proposed by the
errata paper [2] to properly ensure above conditions.
However, we're off by one, as the function is implemented as:
"return (x < m) ? x + m : x;", and called with __seed(X, 1),
__seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15
would be possible, whereas the lower boundary should actually
be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise
an initialization with an unwanted seed could have the effect
that Tausworthe's PRNG properties cannot not be ensured.
Note that this PRNG is *not* used for cryptography in the kernel.
[1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
[2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
Joint work with Hannes Frederic Sowa.
Fixes: 697f8d0348a6 ("random32: seeding improvement")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
include/linux/random.h | 6 +++---
lib/random32.c | 14 +++++++-------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/linux/random.h b/include/linux/random.h
index 6312dd9..bf9085e 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -50,9 +50,9 @@ static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
{
u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
- state->s1 = __seed(i, 1);
- state->s2 = __seed(i, 7);
- state->s3 = __seed(i, 15);
+ state->s1 = __seed(i, 2);
+ state->s2 = __seed(i, 8);
+ state->s3 = __seed(i, 16);
}
#ifdef CONFIG_ARCH_RANDOM
diff --git a/lib/random32.c b/lib/random32.c
index 52280d5..01e8890 100644
--- a/lib/random32.c
+++ b/lib/random32.c
@@ -141,7 +141,7 @@ void prandom_seed(u32 entropy)
*/
for_each_possible_cpu (i) {
struct rnd_state *state = &per_cpu(net_rand_state, i);
- state->s1 = __seed(state->s1 ^ entropy, 1);
+ state->s1 = __seed(state->s1 ^ entropy, 2);
}
}
EXPORT_SYMBOL(prandom_seed);
@@ -158,9 +158,9 @@ static int __init prandom_init(void)
struct rnd_state *state = &per_cpu(net_rand_state,i);
#define LCG(x) ((x) * 69069) /* super-duper LCG */
- state->s1 = __seed(LCG(i + jiffies), 1);
- state->s2 = __seed(LCG(state->s1), 7);
- state->s3 = __seed(LCG(state->s2), 15);
+ state->s1 = __seed(LCG(i + jiffies), 2);
+ state->s2 = __seed(LCG(state->s1), 8);
+ state->s3 = __seed(LCG(state->s2), 16);
/* "warm it up" */
prandom_u32_state(state);
@@ -187,9 +187,9 @@ static int __init prandom_reseed(void)
u32 seeds[3];
get_random_bytes(&seeds, sizeof(seeds));
- state->s1 = __seed(seeds[0], 1);
- state->s2 = __seed(seeds[1], 7);
- state->s3 = __seed(seeds[2], 15);
+ state->s1 = __seed(seeds[0], 2);
+ state->s2 = __seed(seeds[1], 8);
+ state->s3 = __seed(seeds[2], 16);
/* mix it in */
prandom_u32_state(state);
--
1.8.3.1
next prev parent reply other threads:[~2013-11-11 11:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-11 11:20 [PATCH net-next 0/6] prandom fixes/improvements Daniel Borkmann
2013-11-11 11:20 ` Daniel Borkmann [this message]
2013-11-11 11:20 ` [PATCH net-next 2/6] random32: add periodic reseeding Daniel Borkmann
2013-11-11 11:20 ` [PATCH net-next 3/6] random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized Daniel Borkmann
2013-11-11 13:43 ` Theodore Ts'o
2013-11-12 0:03 ` Hannes Frederic Sowa
[not found] ` <20131112000307.GB14929-5j1vdhnGyZutBveJljeh2VPnkB77EeZ12LY78lusg7I@public.gmane.org>
2013-11-12 0:37 ` Karl Beldan
2013-11-12 8:36 ` Johannes Berg
[not found] ` <1384245375.14301.1.camel-8Nb76shvtaUJvtFkdXX2HixXY32XiHfO@public.gmane.org>
2013-11-12 11:13 ` Karl Beldan
2013-11-12 13:09 ` Hannes Frederic Sowa
2013-11-12 11:53 ` Theodore Ts'o
2013-11-12 12:04 ` Johannes Berg
[not found] ` <20131112115350.GA14077-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2013-11-12 13:16 ` Hannes Frederic Sowa
[not found] ` <20131112131627.GD14929-5j1vdhnGyZutBveJljeh2VPnkB77EeZ12LY78lusg7I@public.gmane.org>
2013-11-12 13:46 ` [PATCH] random: seed random_int_secret at least poorly at core_initcall time Hannes Frederic Sowa
[not found] ` <20131112134603.GE14929-5j1vdhnGyZutBveJljeh2VPnkB77EeZ12LY78lusg7I@public.gmane.org>
2013-11-14 2:54 ` Theodore Ts'o
2013-11-14 4:18 ` Hannes Frederic Sowa
[not found] ` <20131114041829.GA26901-5j1vdhnGyZutBveJljeh2VPnkB77EeZ12LY78lusg7I@public.gmane.org>
2013-11-14 5:05 ` Hannes Frederic Sowa
2013-11-15 18:42 ` Kees Cook
[not found] ` <CAGXu5jJJtjvAqROzsekOd9Y5wbiw=G9ToNryOfP8auhQRrYORw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-16 7:40 ` Hannes Frederic Sowa
[not found] ` <20131114025448.GB31602-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2013-11-15 18:33 ` Kees Cook
[not found] ` <CAGXu5j+ySEdQBXKkspYC=svfekBja2Z_2tcWSAOEbvyiMLf=aA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-15 18:45 ` Dave Jones
2013-11-15 19:07 ` Kees Cook
2013-11-15 21:05 ` Theodore Ts'o
2013-11-11 11:20 ` [PATCH net-next 4/6] random32: move rnd_state to linux/random.h Daniel Borkmann
2013-11-11 11:20 ` [PATCH net-next 5/6] random32: upgrade taus88 generator to taus113 from errata paper Daniel Borkmann
2013-11-11 11:20 ` [PATCH net-next 6/6] random32: add test cases for taus113 implementation Daniel Borkmann
2013-11-11 19:33 ` [PATCH net-next 0/6] prandom fixes/improvements David Miller
2013-11-11 19:44 ` Hannes Frederic Sowa
2013-11-11 20:00 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b88904fc7821fb8db2829a2bc0ac4df641d0387.1384160397.git.dborkman@redhat.com \
--to=dborkman@redhat.com \
--cc=davem@davemloft.net \
--cc=fweimer@redhat.com \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=shemminger@networkplumber.org \
--cc=stephen@networkplumber.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).