-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allocate DRBG additional data pool from non-secure memory #9423
Allocate DRBG additional data pool from non-secure memory #9423
Conversation
9ce1491
to
50769dc
Compare
Definitely a step in the right direction. |
50769dc
to
1bf8253
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First impression is good. Only one remark and one question.
- Your commit message definitely deserves more text ;-)
- Is there a particular reason why you go from one extreme (secure memory) to the other (no cleaning at all)? I'd prefer if you would keep the cleaning.
No real reason, but it is odd that the non-initialized memory causes a msan failure. |
1bf8253
to
dbf2013
Compare
301c7a5
to
cc00073
Compare
The additional data allocates 12K per DRBG instance in the secure memory, which is not necessary. Also nonces are not considered secret. [extended tests]
cc00073
to
efa4add
Compare
Reverted the test code, and zeroized the additional data pool as before. |
From the security perspective, only the erasing of the buffer before freeing it is important. If you prefer malloc to zalloc for performance reasons, and if you manage to fix the asan complaint, I won't mind. |
Unfortunately I was not able to fix the memory sanitizer at this time, |
Did anything come of the suggestion to use the entropy argument to determine secure storage or not? |
Yes, it still makes sense in case DRBG is created with RAND_DRBG_new: |
However we agreed, that the public DRBG will not use non-secure memory. |
Thanks for the link. I had to rush through too much today and missed the outcome :( I agree that the DRBG should be in secure memory in addition to the entropy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming that the Travis failures aren't relevant (they didn't appear to be).
I agree with @bernd-edlinger. I wasn't aware anymore that we have now two flavors of DRBG: a secure one and an insecure one. openssl/crypto/rand/drbg_lib.c Lines 473 to 482 in efa4add
(In fact, it was me who added the functions in 4f9dabb, but it was only during code cleanup, so I did not really introduce the two flavors.) So to be consistent, the |
@mspncp are your concerns resolved ? |
@@ -149,7 +149,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, | |||
pool = drbg->seed_pool; | |||
pool->entropy_requested = entropy; | |||
} else { | |||
pool = rand_pool_new(entropy, min_len, max_len); | |||
pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So to be consistent, the secure flag should be inherited from the DRBG to its pool, agreed?
Yes. That happens here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now. In particular the locations which I marked explicitly.
@@ -110,7 +110,7 @@ size_t rand_crngt_get_entropy(RAND_DRBG *drbg, | |||
if (crngt_glob == NULL) | |||
return 0; | |||
|
|||
if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL) | |||
if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -149,7 +149,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, | |||
pool = drbg->seed_pool; | |||
pool->entropy_requested = entropy; | |||
} else { | |||
pool = rand_pool_new(entropy, min_len, max_len); | |||
pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LTGM
@@ -331,7 +335,7 @@ int RAND_poll(void) | |||
RAND_POOL *pool = NULL; | |||
|
|||
/* fill random pool and seed the current legacy RNG */ | |||
pool = rand_pool_new(RAND_DRBG_STRENGTH, | |||
pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Merged as 1372560. Thanks! |
The additional data allocates 12K per DRBG instance in the secure memory, which is not necessary. Also nonces are not considered secret. [extended tests] Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9423)
I hadn't noticed either. I'm having difficulty thinking of a plausible use case for a non-secure DRBG. Random numbers are fundamental to security and need to be produced in the safest manner possible. Being able to predict future output would be very bad. I feel that the internal state should always be in secure memory as should the entropy input. I can live with the other inputs not being in secure memory (although it could be argued that the additional input is a kind of weak entropy). Anyway, this might be for another PR. |
Was there something with the deterministic ecdsa signature, where a drbg would |
Yes, it reuses one of the DRBG constructions. |
@paulidale @mspncp how about this?