Linux-Crypto Archive on lore.kernel.org
 help / color / Atom feed
From: Elena Petrova <lenaptr@google.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
	<linux-crypto@vger.kernel.org>, Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH 1/1] crypto: af_alg - add extra parameters for DRBG interface
Date: Thu, 16 Jul 2020 15:23:14 +0100
Message-ID: <CABvBcwY44BPa+TaDwxWaEogpg3Kdkq8o9cR5gSqNGF-o6d3jrw@mail.gmail.com> (raw)
In-Reply-To: <20200713171045.GA722906@gmail.com>

Thank you for the review, Eric, I'll address your comments in v2.

On Mon, 13 Jul 2020 at 18:10, Eric Biggers <ebiggers@kernel.org> wrote:
>
> Just some bike-shedding:
>
> On Mon, Jul 13, 2020 at 05:48:57PM +0100, Elena Petrova wrote:
> > Extending the userspace RNG interface:
> >   1. adding ALG_SET_DRBG_ENTROPY setsockopt option for entropy input;
> >   2. using sendmsg syscall for specifying the additional data.
> >
> > Signed-off-by: Elena Petrova <lenaptr@google.com>
>
> A cover letter shouldn't really be used for a single patch.
> Just put the details here in the commit message.

Ack

> > diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c
> > index 087c0ad09d38..c3d1667db367 100644
> > --- a/crypto/algif_rng.c
> > +++ b/crypto/algif_rng.c
> > @@ -53,8 +53,24 @@ struct rng_ctx {
> >  #define MAXSIZE 128
> >       unsigned int len;
> >       struct crypto_rng *drng;
> > +     u8 *addtl;
> > +     size_t addtl_len;
> >  };
> >
> > +struct rng_parent_ctx {
> > +     struct crypto_rng *drng;
> > +     u8 *entropy;
> > +};
> > +
> > +static void reset_addtl(struct rng_ctx *ctx)
> > +{
> > +     if (ctx->addtl) {
> > +             kzfree(ctx->addtl);
> > +             ctx->addtl = NULL;
> > +     }
> > +     ctx->addtl_len = 0;
> > +}
>
> It's recommended to prefix function names.  So, reset_addtl => rng_reset_addtl.

Ack

> > +static int rng_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
> > +{
> > +     int err;
> > +     struct alg_sock *ask = alg_sk(sock->sk);
> > +     struct rng_ctx *ctx = ask->private;
> > +
> > +     reset_addtl(ctx);
> > +     ctx->addtl = kzalloc(len, GFP_KERNEL);
> > +     if (!ctx->addtl)
> > +             return -ENOMEM;
>
> Shouldn't the length be limited here?
>
> Also, kmalloc would be sufficient since the memcpy_from_msg() immediately below
> initializes the memory.

Good point, I'll use the same limit as for the recv(). Ack kzalloc/kmalloc.

> > +
> > +     err = memcpy_from_msg(ctx->addtl, msg, len);
> > +     if (err) {
> > +             reset_addtl(ctx);
> > +             return err;
> > +     }
> > +     ctx->addtl_len = len;
> > +
> > +     return 0;
> > +}
>
> >  static void *rng_bind(const char *name, u32 type, u32 mask)
> >  {
> > -     return crypto_alloc_rng(name, type, mask);
> > +     struct rng_parent_ctx *pctx;
> > +     void *err_ptr;
> > +
> > +     pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
> > +     if (!pctx)
> > +             return ERR_PTR(-ENOMEM);
> > +
> > +     pctx->drng = crypto_alloc_rng(name, type, mask);
> > +     if (!IS_ERR(pctx->drng))
> > +             return pctx;
> > +
> > +     err_ptr = pctx->drng;
> > +     kfree(pctx);
> > +     return err_ptr;
> >  }
>
> The error handling here is weird.  It would be more conventional to do something
> like:
>
> static void *rng_bind(const char *name, u32 type, u32 mask)
> {
>         struct rng_parent_ctx *pctx;
>         struct crypto_rng *rng;
>
>         pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
>         if (!pctx)
>                 return ERR_PTR(-ENOMEM);
>
>         rng = crypto_alloc_rng(name, type, mask);
>         if (IS_ERR(rng)) {
>                 kfree(pctx);
>                 return ERR_CAST(rng);
>         }
>
>         pctx->drng = rng;
>         return pctx;
> }

Thanks, I will use your variant.

> >  static void rng_release(void *private)
> >  {
> > -     crypto_free_rng(private);
> > +     struct rng_parent_ctx *pctx = private;
> > +     if (unlikely(!pctx))
> > +             return;
>
> There should be a blank line between declarations and statements.

Ack

> > +     crypto_free_rng(pctx->drng);
> > +     if (pctx->entropy)
> > +             kzfree(pctx->entropy);
>
> No need to check for NULL before calling kzfree().

Ack

> > +static int rng_setentropy(void *private, const u8 *entropy, unsigned int len)
> > +{
> > +     struct rng_parent_ctx *pctx = private;
> > +     u8 *kentropy = NULL;
> > +
> > +     if (pctx->entropy)
> > +             return -EINVAL;
> > +
> > +     if (entropy && len) {
>
> Best to check just 'len', so that users get an error as expected if they
> accidentally pass entry=NULL len=nonzero.

Ack

> > +             kentropy = kzalloc(len, GFP_KERNEL);
> > +             if (!kentropy)
> > +                     return -ENOMEM;
> > +             if (copy_from_user(kentropy, entropy, len)) {
> > +                     kzfree(kentropy);
> > +                     return -EFAULT;
> > +             }
>
> This can use memdup_user().  Also, should there be a length limit?

Alright, changed to memdup_user() and added the same limit as in send and recv.

> > +     }
> > +
> > +     crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
> > +     pctx->entropy = kentropy;
>
> pctx->entropy could just be a bool 'has_entropy', right?  The actual value
> doesn't need to be saved.

I need to keep the pointer to free it after use. DRBG saves the
pointer in one of its internal structures, but doesn't do any memory
management. So I had to either change drbg code to deal with the
memory, or save the pointer somewhere inside the socket. I opted for
the latter.

> > +static int rng_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
> > +{
> > +     int err;
> > +     struct alg_sock *ask = alg_sk(sock->sk);
> > +     struct rng_ctx *ctx = ask->private;
> > +
> > +     reset_addtl(ctx);
> > +     ctx->addtl = kzalloc(len, GFP_KERNEL);
> > +     if (!ctx->addtl)
> > +             return -ENOMEM;
> > +
> > +     err = memcpy_from_msg(ctx->addtl, msg, len);
> > +     if (err) {
> > +             reset_addtl(ctx);
> > +             return err;
> > +     }
> > +     ctx->addtl_len = len;
> > +
> > +     return 0;
> > +}
>
> This is also missing any sort of locking, both between concurrent calls to
> rng_sendmsg(), and between rng_sendmsg() and rng_recvmsg().
>
> lock_sock() would solve the former.  I'm not sure what should be done about
> rng_recvmsg().  It apparently relies on the crypto_rng doing its own locking,
> but maybe it should just use lock_sock() too.

Thanks, I've added lock_sock() to both.

> - Eric

  reply index

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-13 16:48 [PATCH 0/1] " Elena Petrova
2020-07-13 16:48 ` [PATCH 1/1] " Elena Petrova
2020-07-13 17:10   ` Eric Biggers
2020-07-16 14:23     ` Elena Petrova [this message]
2020-07-16 16:40       ` [PATCH v2] " Elena Petrova
2020-07-20 17:35         ` Stephan Mueller
2020-07-21 12:55           ` Elena Petrova
2020-07-21 13:18             ` Stephan Mueller
2020-07-28 16:16               ` Elena Petrova
2020-07-20 17:42         ` Stephan Müller
2020-07-22 15:59         ` Eric Biggers
2020-07-28 15:51           ` [PATCH v3] " Elena Petrova
2020-07-28 17:36             ` Eric Biggers
2020-07-29 15:45               ` [PATCH v4] " Elena Petrova
2020-07-29 19:26                 ` Stephan Müller
2020-07-31  7:23                 ` Herbert Xu
2020-08-03 14:48                   ` Elena Petrova
2020-08-03 15:10                     ` Stephan Mueller
2020-08-03 15:30                       ` Elena Petrova
2020-08-04  2:18                     ` Herbert Xu
2020-07-13 17:25   ` [PATCH 1/1] " Eric Biggers
2020-07-31  7:26     ` Herbert Xu
2020-08-13 16:00       ` Elena Petrova
2020-08-13 16:01         ` [PATCH v4] " Elena Petrova
2020-08-13 16:04           ` Elena Petrova
2020-08-13 16:08             ` [PATCH v5] " Elena Petrova
2020-08-13 19:32               ` Eric Biggers
2020-08-21  4:24                 ` Herbert Xu
2020-09-08 17:04                   ` [PATCH v6] " Elena Petrova
2020-09-09  4:35                     ` Eric Biggers
2020-09-09 18:29                       ` [PATCH v7] " Elena Petrova
2020-09-09 21:00                         ` Eric Biggers
2020-09-16 11:07                           ` [PATCH v8] " Elena Petrova
2020-09-18  6:43                             ` Herbert Xu
2020-09-18 15:42                               ` [PATCH v9] " Elena Petrova
2020-09-08 17:23                   ` [PATCH v5] " Elena Petrova
2020-09-08 17:18                 ` Elena Petrova
2020-07-14  5:17 ` [PATCH 0/1] " Stephan Mueller
2020-07-14 15:23   ` Elena Petrova
2020-07-14 15:34     ` Stephan Mueller
2020-07-16 14:41       ` Elena Petrova
2020-07-16 14:49         ` Stephan Mueller
2020-07-16 14:59           ` Stephan Mueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CABvBcwY44BPa+TaDwxWaEogpg3Kdkq8o9cR5gSqNGF-o6d3jrw@mail.gmail.com \
    --to=lenaptr@google.com \
    --cc=ardb@kernel.org \
    --cc=ebiggers@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Crypto Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-crypto/0 linux-crypto/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-crypto linux-crypto/ https://lore.kernel.org/linux-crypto \
		linux-crypto@vger.kernel.org
	public-inbox-index linux-crypto

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-crypto


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git