From: Sedat Dilek <sedat.dilek@gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Eric Dumazet <edumazet@google.com>, George Spelvin <lkml@sdf.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Amit Klein <aksecurity@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
netdev@vger.kernel.org
Subject: Re: [DRAFT PATCH] random32: make prandom_u32() output unpredictable
Date: Thu, 20 Aug 2020 06:42:23 +0200 [thread overview]
Message-ID: <CA+icZUXV21ZYzcM_rcKfd3pQ56KYueMQ=YKaVc-QEL7Duf2v-A@mail.gmail.com> (raw)
In-Reply-To: <20200820043323.GA21461@1wt.eu>
On Thu, Aug 20, 2020 at 6:33 AM Willy Tarreau <w@1wt.eu> wrote:
>
> On Thu, Aug 20, 2020 at 05:05:49AM +0200, Sedat Dilek wrote:
> > We have the same defines for K0 and K1 in include/linux/prandom.h and
> > lib/random32.c?
> > More room for simplifications?
>
> Definitely, I'm not surprized at all. As I said, the purpose was to
> discuss around the proposal, not much more. If we think it's the way
> to go, some major lifting is required. I just don't want to invest
> significant time on this if nobody cares.
>
OK.
Right now, I will try with the attached diff.
Unclear to me where this modpost "net_rand_noise" undefined! comes from.
Any hints?
- Sedat -
[ prandom-siphash-noise-wtarreau-20200816-dileks.diff ]
diff --git a/drivers/staging/rtl8188eu/include/rtw_security.h
b/drivers/staging/rtl8188eu/include/rtw_security.h
index 8ba02a7cea60..5cbb6fec71cd 100644
--- a/drivers/staging/rtl8188eu/include/rtw_security.h
+++ b/drivers/staging/rtl8188eu/include/rtw_security.h
@@ -221,6 +221,9 @@ do {
\
#define ROL32(A, n) (((A) << (n)) | (((A) >> (32 - (n))) & ((1UL
<< (n)) - 1)))
#define ROR32(A, n) ROL32((A), 32 - (n))
+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
struct mic_data {
u32 K0, K1; /* Key */
u32 L, R; /* Current state */
diff --git a/drivers/staging/rtl8712/rtl871x_security.h
b/drivers/staging/rtl8712/rtl871x_security.h
index b2dda16cbd0a..d4ffb31d9d14 100644
--- a/drivers/staging/rtl8712/rtl871x_security.h
+++ b/drivers/staging/rtl8712/rtl871x_security.h
@@ -188,6 +188,9 @@ do {\
#define ROL32(A, n) (((A) << (n)) | (((A)>>(32-(n))) & ((1UL << (n)) - 1)))
#define ROR32(A, n) ROL32((A), 32 - (n))
+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
struct mic_data {
u32 K0, K1; /* Key */
u32 L, R; /* Current state */
diff --git a/drivers/staging/rtl8723bs/include/rtw_security.h
b/drivers/staging/rtl8723bs/include/rtw_security.h
index 514c0799c34b..260ca9f29a35 100644
--- a/drivers/staging/rtl8723bs/include/rtw_security.h
+++ b/drivers/staging/rtl8723bs/include/rtw_security.h
@@ -271,6 +271,9 @@ do {\
#define ROL32(A, n) (((A) << (n)) | (((A)>>(32-(n))) & ((1UL << (n)) - 1)))
#define ROR32(A, n) ROL32((A), 32-(n))
+// XXX: Workaround: Undef defines from <include/linux/prandom.h>
+#undef K0
+#undef K1
struct mic_data {
u32 K0, K1; /* Key */
u32 L, R; /* Current state */
diff --git a/include/linux/prandom.h b/include/linux/prandom.h
index 95d73b01d8c5..efebcff3c93d 100644
--- a/include/linux/prandom.h
+++ b/include/linux/prandom.h
@@ -32,6 +32,11 @@ DECLARE_PER_CPU(unsigned long, net_rand_noise);
v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) )
+#define SIPROUND(v0,v1,v2,v3) ( \
+ v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \
+ v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
+ v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
+ v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) )
#define K0 (0x736f6d6570736575 ^ 0x6c7967656e657261 )
#define K1 (0x646f72616e646f6d ^ 0x7465646279746573 )
@@ -46,6 +51,11 @@ DECLARE_PER_CPU(unsigned long, net_rand_noise);
v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) )
+#define SIPROUND(v0,v1,v2,v3) ( \
+ v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \
+ v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
+ v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
+ v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) )
#define K0 0x6c796765
#define K1 0x74656462
diff --git a/lib/random32.c b/lib/random32.c
index 93f0cd3a67ee..f24c7a0febf0 100644
--- a/lib/random32.c
+++ b/lib/random32.c
@@ -323,37 +323,6 @@ struct siprand_state {
static DEFINE_PER_CPU(struct siprand_state, net_rand_state) __latent_entropy;
DEFINE_PER_CPU(unsigned long, net_rand_noise);
-#if BITS_PER_LONG == 64
-/*
- * The core SipHash round function. Each line can be executed in
- * parallel given enough CPU resources.
- */
-#define SIPROUND(v0,v1,v2,v3) ( \
- v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \
- v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
- v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
- v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) )
-#define K0 (0x736f6d6570736575 ^ 0x6c7967656e657261 )
-#define K1 (0x646f72616e646f6d ^ 0x7465646279746573 )
-
-#elif BITS_PER_LONG == 32
-/*
- * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash.
- * This is weaker, but 32-bit machines are not used for high-traffic
- * applications, so there is less output for an attacker to analyze.
- */
-#define SIPROUND(v0,v1,v2,v3) ( \
- v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \
- v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
- v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
- v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) )
-#define K0 0x6c796765
-#define K1 0x74656462
-
-#else
-#error Unsupported BITS_PER_LONG
-#endif
-
/*
* This is the core CPRNG function. As "pseudorandom", this is not used
* for truly valuable things, just intended to be a PITA to guess.
- EOF -
next prev parent reply other threads:[~2020-08-20 4:42 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+icZUVnsmf1kXPYFYufStQ_MxnLuxL+EWfDS2wQy1VbAEMwkA@mail.gmail.com>
2020-08-09 21:10 ` [DRAFT PATCH] random32: make prandom_u32() output unpredictable Sedat Dilek
[not found] ` <20200809235412.GD25124@SDF.ORG>
[not found] ` <20200810034948.GB8262@1wt.eu>
[not found] ` <20200811053455.GH25124@SDF.ORG>
[not found] ` <20200811054328.GD9456@1wt.eu>
[not found] ` <20200811062814.GI25124@SDF.ORG>
[not found] ` <20200811074538.GA9523@1wt.eu>
2020-08-11 10:51 ` Sedat Dilek
2020-08-11 11:01 ` Sedat Dilek
2020-08-12 3:21 ` Willy Tarreau
2020-08-13 7:53 ` Sedat Dilek
2020-08-13 8:06 ` Willy Tarreau
2020-08-13 8:13 ` Sedat Dilek
2020-08-13 8:27 ` Sedat Dilek
2020-08-13 14:00 ` Eric Dumazet
2020-08-13 16:02 ` Sedat Dilek
2020-08-14 15:32 ` Sedat Dilek
2020-08-14 16:05 ` Willy Tarreau
2020-08-14 16:17 ` Sedat Dilek
2020-08-16 15:01 ` Willy Tarreau
2020-08-16 16:48 ` Sedat Dilek
2020-08-20 3:05 ` Sedat Dilek
2020-08-20 4:33 ` Willy Tarreau
2020-08-20 4:42 ` Sedat Dilek [this message]
2020-08-20 6:08 ` Willy Tarreau
2020-08-20 6:58 ` Willy Tarreau
2020-08-20 8:05 ` Willy Tarreau
2020-08-20 12:08 ` Sedat Dilek
[not found] ` <CANEQ_+L+22Hkdqf38Zr0bfq16fcL1Ax2X9fToXV_niHKXCB8aA@mail.gmail.com>
2020-08-27 1:09 ` Willy Tarreau
2020-08-27 7:08 ` Sedat Dilek
2020-08-08 15:26 Flaw in "random32: update the net random state on interrupt and activity" George Spelvin
2020-08-09 6:57 ` [DRAFT PATCH] random32: make prandom_u32() output unpredictable George Spelvin
2020-08-09 9:38 ` Willy Tarreau
2020-08-09 17:06 ` George Spelvin
2020-08-09 17:33 ` Willy Tarreau
2020-08-09 18:30 ` George Spelvin
2020-08-09 19:16 ` Willy Tarreau
2020-08-10 11:47 ` Willy Tarreau
2020-08-10 12:01 ` David Laight
2020-08-10 14:48 ` Willy Tarreau
2020-08-10 12:03 ` Florian Westphal
2020-08-10 14:53 ` Willy Tarreau
2020-08-10 16:31 ` Linus Torvalds
2020-08-10 16:58 ` Willy Tarreau
2020-08-10 17:45 ` Linus Torvalds
2020-08-10 18:01 ` Willy Tarreau
2020-08-10 21:04 ` Willy Tarreau
2020-08-11 5:26 ` George Spelvin
2020-08-11 5:37 ` Willy Tarreau
2020-08-11 3:47 ` George Spelvin
2020-08-11 3:58 ` Willy Tarreau
[not found] ` <fdbc7d7d-cba2-ef94-9bde-b3ccae0cfaac@gmail.com>
2020-08-09 21:10 ` Marc Plumb
2020-08-09 21:48 ` Linus Torvalds
2020-08-09 13:50 ` Randy Dunlap
[not found] ` <CANEQ_++a4YcwQQ2XhuguTono9=RxbSRVsMw08zLWBWJ_wxG2AQ@mail.gmail.com>
2020-08-09 16:08 ` George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+icZUXV21ZYzcM_rcKfd3pQ56KYueMQ=YKaVc-QEL7Duf2v-A@mail.gmail.com' \
--to=sedat.dilek@gmail.com \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=lkml@sdf.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).