From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Theodore Ts'o <tytso@mit.edu>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biggers <ebiggers3@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Miller <davem@davemloft.net>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Marcel Holtmann <marcel@holtmann.org>,
Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>
Subject: [PATCH v5 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use
Date: Thu, 8 Jun 2017 01:26:06 +0200 [thread overview]
Message-ID: <20170607232607.26870-13-Jason@zx2c4.com> (raw)
In-Reply-To: <20170607232607.26870-1-Jason@zx2c4.com>
This protocol uses lots of complex cryptography that relies on securely
generated random numbers. Thus, it's important that the RNG is actually
seeded before use. Fortuantely, it appears we're always operating in
process context (there are many GFP_KERNEL allocations and other
sleeping operations), and so we can simply demand that the RNG is seeded
before we use it.
We take two strategies in this commit. The first is for the library code
that's called from other modules like hci or mgmt: here we just change
the call to get_random_bytes_wait, and return the result of the wait to
the caller, along with the other error codes of those functions like
usual. Then there's the SMP protocol handler itself, which makes many
many many calls to get_random_bytes during different phases. For this,
rather than have to change all the calls to get_random_bytes_wait and
propagate the error result, it's actually enough to just put a single
call to wait_for_random_bytes() at the beginning of the handler, to
ensure that all the subsequent invocations are safe, without having to
actually change them. Likewise, for the random address changing
function, we'd rather know early on in the function whether the RNG
initialization has been interrupted, rather than later, so we call
wait_for_random_bytes() at the top, so that later on the call to
get_random_bytes() is acceptable.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
---
net/bluetooth/hci_request.c | 6 ++++++
net/bluetooth/smp.c | 18 ++++++++++++++----
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index b5faff458d8b..4078057c4fd7 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -1406,6 +1406,12 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
struct hci_dev *hdev = req->hdev;
int err;
+ if (require_privacy) {
+ err = wait_for_random_bytes();
+ if (unlikely(err))
+ return err;
+ }
+
/* If privacy is enabled use a resolvable private address. If
* current RPA has expired or there is something else than
* the current RPA in use, then generate a new one.
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 14585edc9439..5fef1bc96f42 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -537,7 +537,9 @@ int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
smp = chan->data;
- get_random_bytes(&rpa->b[3], 3);
+ err = get_random_bytes_wait(&rpa->b[3], 3);
+ if (unlikely(err))
+ return err;
rpa->b[5] &= 0x3f; /* Clear two most significant bits */
rpa->b[5] |= 0x40; /* Set second most significant bit */
@@ -570,7 +572,9 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
} else {
while (true) {
/* Seed private key with random number */
- get_random_bytes(smp->local_sk, 32);
+ err = get_random_bytes_wait(smp->local_sk, 32);
+ if (unlikely(err))
+ return err;
/* Generate local key pair for Secure Connections */
if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
@@ -589,7 +593,9 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
- get_random_bytes(smp->local_rand, 16);
+ err = get_random_bytes_wait(smp->local_rand, 16);
+ if (unlikely(err))
+ return err;
err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
smp->local_rand, 0, hash);
@@ -2831,7 +2837,11 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
struct hci_conn *hcon = conn->hcon;
struct smp_chan *smp;
__u8 code, reason;
- int err = 0;
+ int err;
+
+ err = wait_for_random_bytes();
+ if (unlikely(err))
+ return err;
if (skb->len < 1)
return -EILSEQ;
--
2.13.0
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Theodore Ts'o <tytso@mit.edu>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biggers <ebiggers3@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Miller <davem@davemloft.net>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Marcel Holtmann <marcel@holtmann.org>,
Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>
Subject: [kernel-hardening] [PATCH v5 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use
Date: Thu, 8 Jun 2017 01:26:06 +0200 [thread overview]
Message-ID: <20170607232607.26870-13-Jason@zx2c4.com> (raw)
In-Reply-To: <20170607232607.26870-1-Jason@zx2c4.com>
This protocol uses lots of complex cryptography that relies on securely
generated random numbers. Thus, it's important that the RNG is actually
seeded before use. Fortuantely, it appears we're always operating in
process context (there are many GFP_KERNEL allocations and other
sleeping operations), and so we can simply demand that the RNG is seeded
before we use it.
We take two strategies in this commit. The first is for the library code
that's called from other modules like hci or mgmt: here we just change
the call to get_random_bytes_wait, and return the result of the wait to
the caller, along with the other error codes of those functions like
usual. Then there's the SMP protocol handler itself, which makes many
many many calls to get_random_bytes during different phases. For this,
rather than have to change all the calls to get_random_bytes_wait and
propagate the error result, it's actually enough to just put a single
call to wait_for_random_bytes() at the beginning of the handler, to
ensure that all the subsequent invocations are safe, without having to
actually change them. Likewise, for the random address changing
function, we'd rather know early on in the function whether the RNG
initialization has been interrupted, rather than later, so we call
wait_for_random_bytes() at the top, so that later on the call to
get_random_bytes() is acceptable.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
---
net/bluetooth/hci_request.c | 6 ++++++
net/bluetooth/smp.c | 18 ++++++++++++++----
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index b5faff458d8b..4078057c4fd7 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -1406,6 +1406,12 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
struct hci_dev *hdev = req->hdev;
int err;
+ if (require_privacy) {
+ err = wait_for_random_bytes();
+ if (unlikely(err))
+ return err;
+ }
+
/* If privacy is enabled use a resolvable private address. If
* current RPA has expired or there is something else than
* the current RPA in use, then generate a new one.
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 14585edc9439..5fef1bc96f42 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -537,7 +537,9 @@ int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
smp = chan->data;
- get_random_bytes(&rpa->b[3], 3);
+ err = get_random_bytes_wait(&rpa->b[3], 3);
+ if (unlikely(err))
+ return err;
rpa->b[5] &= 0x3f; /* Clear two most significant bits */
rpa->b[5] |= 0x40; /* Set second most significant bit */
@@ -570,7 +572,9 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
} else {
while (true) {
/* Seed private key with random number */
- get_random_bytes(smp->local_sk, 32);
+ err = get_random_bytes_wait(smp->local_sk, 32);
+ if (unlikely(err))
+ return err;
/* Generate local key pair for Secure Connections */
if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
@@ -589,7 +593,9 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
- get_random_bytes(smp->local_rand, 16);
+ err = get_random_bytes_wait(smp->local_rand, 16);
+ if (unlikely(err))
+ return err;
err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
smp->local_rand, 0, hash);
@@ -2831,7 +2837,11 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
struct hci_conn *hcon = conn->hcon;
struct smp_chan *smp;
__u8 code, reason;
- int err = 0;
+ int err;
+
+ err = wait_for_random_bytes();
+ if (unlikely(err))
+ return err;
if (skb->len < 1)
return -EILSEQ;
--
2.13.0
next prev parent reply other threads:[~2017-06-07 23:26 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-07 23:25 [PATCH v5 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:25 ` [PATCH v5 01/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-14 19:28 ` Sebastian Andrzej Siewior
2017-06-14 19:28 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-14 22:33 ` Jason A. Donenfeld
2017-06-14 22:33 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-16 8:31 ` Sebastian Andrzej Siewior
2017-06-16 8:31 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-16 12:12 ` Jason A. Donenfeld
2017-06-16 12:12 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-16 14:36 ` Sebastian Andrzej Siewior
2017-06-16 14:36 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-14 22:45 ` [PATCH] random: silence compiler warnings and fix race Jason A. Donenfeld
2017-06-14 22:45 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-16 14:35 ` Sebastian Andrzej Siewior
2017-06-16 14:35 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-17 0:39 ` Jason A. Donenfeld
2017-06-17 0:39 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-19 7:45 ` Sebastian Andrzej Siewior
2017-06-19 7:45 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-19 20:55 ` Jason A. Donenfeld
2017-06-19 20:55 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 6:44 ` Sebastian Andrzej Siewior
2017-06-20 6:44 ` [kernel-hardening] " Sebastian Andrzej Siewior
2017-06-19 20:57 ` Jason A. Donenfeld
2017-06-19 20:57 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 6:03 ` Theodore Ts'o
2017-06-20 6:03 ` [kernel-hardening] " Theodore Ts'o
2017-06-20 6:27 ` Joel Stanley
2017-06-20 6:59 ` Michael Ellerman
2017-06-20 8:14 ` Jason A. Donenfeld
2017-06-20 8:14 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 8:33 ` Jeffrey Walton
2017-06-20 8:33 ` [kernel-hardening] " Jeffrey Walton
2017-06-20 8:53 ` Jason A. Donenfeld
2017-06-20 8:53 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 9:36 ` Theodore Ts'o
2017-06-20 9:36 ` [kernel-hardening] " Theodore Ts'o
2017-06-20 9:49 ` Jeffrey Walton
2017-06-20 9:49 ` [kernel-hardening] " Jeffrey Walton
2017-06-20 17:50 ` Sandy Harris
2017-06-20 18:14 ` Kees Cook
2017-06-20 18:14 ` Kees Cook
2017-06-20 20:09 ` Jason A. Donenfeld
2017-06-20 20:09 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 20:09 ` Jason A. Donenfeld
2017-06-20 9:49 ` Jason A. Donenfeld
2017-06-20 9:49 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-20 23:38 ` Theodore Ts'o
2017-06-20 23:38 ` [kernel-hardening] " Theodore Ts'o
2017-06-20 23:54 ` Jason A. Donenfeld
2017-06-20 23:54 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-21 0:03 ` [PATCH] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-21 0:03 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-21 0:12 ` Kees Cook
2017-06-21 0:12 ` [kernel-hardening] " Kees Cook
2017-06-21 0:12 ` Kees Cook
2017-06-21 6:06 ` Michael Ellerman
2017-06-21 6:06 ` [kernel-hardening] " Michael Ellerman
2017-06-21 6:06 ` Michael Ellerman
2017-06-21 20:38 ` Theodore Ts'o
2017-06-22 0:04 ` Jason A. Donenfeld
2017-06-21 23:50 ` [PATCH] random: silence compiler warnings and fix race Jeffrey Walton
2017-06-21 23:50 ` [kernel-hardening] " Jeffrey Walton
2017-06-07 23:25 ` [PATCH v5 02/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:25 ` [PATCH v5 03/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:25 ` [PATCH v5 04/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:25 ` [PATCH v5 05/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-07 23:25 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 06/13] iscsi: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 23:26 ` Jason A. Donenfeld [this message]
2017-06-07 23:26 ` [kernel-hardening] [PATCH v5 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-07 23:26 ` [PATCH v5 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-07 23:26 ` [kernel-hardening] " Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170607232607.26870-13-Jason@zx2c4.com \
--to=jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@padovan.org \
--cc=johan.hedberg@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.