Allocate DRBG additional data pool from non-secure memory #9423
Conversation
bernd-edlinger
force-pushed
the
alloc_adin_pool_from_non_secure_mem
branch
2 times, most recently
from
9ce1491
to
50769dc
Compare
|
Definitely a step in the right direction. |
bernd-edlinger
force-pushed
the
alloc_adin_pool_from_non_secure_mem
branch
from
50769dc
to
1bf8253
Compare
There was a problem hiding this comment.
First impression is good. Only one remark and one question.
- Your commit message definitely deserves more text ;-)
- Is there a particular reason why you go from one extreme (secure memory) to the other (no cleaning at all)? I'd prefer if you would keep the cleaning.
|
No real reason, but it is odd that the non-initialized memory causes a msan failure. |
bernd-edlinger
force-pushed
the
alloc_adin_pool_from_non_secure_mem
branch
from
1bf8253
to
dbf2013
Compare
bernd-edlinger
force-pushed
the
alloc_adin_pool_from_non_secure_mem
branch
2 times, most recently
from
301c7a5
to
cc00073
Compare
The additional data allocates 12K per DRBG instance in the secure memory, which is not necessary. Also nonces are not considered secret. [extended tests]
bernd-edlinger
force-pushed
the
alloc_adin_pool_from_non_secure_mem
branch
from
cc00073
to
efa4add
Compare
|
Reverted the test code, and zeroized the additional data pool as before. |
From the security perspective, only the erasing of the buffer before freeing it is important. If you prefer malloc to zalloc for performance reasons, and if you manage to fix the asan complaint, I won't mind. |
|
Unfortunately I was not able to fix the memory sanitizer at this time, |
|
Did anything come of the suggestion to use the entropy argument to determine secure storage or not? |
|
Yes, it still makes sense in case DRBG is created with RAND_DRBG_new: |
|
However we agreed, that the public DRBG will not use non-secure memory. |
|
Thanks for the link. I had to rush through too much today and missed the outcome :( I agree that the DRBG should be in secure memory in addition to the entropy. |
I agree with @bernd-edlinger. I wasn't aware anymore that we have now two flavors of DRBG: a secure one and an insecure one. openssl/crypto/rand/drbg_lib.c Lines 473 to 482 in efa4add (In fact, it was me who added the functions in 4f9dabb, but it was only during code cleanup, so I did not really introduce the two flavors.) So to be consistent, the |
|
@mspncp are your concerns resolved ? |
| @@ -149,7 +149,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, | |||
| pool = drbg->seed_pool; | |||
| pool->entropy_requested = entropy; | |||
| } else { | |||
| pool = rand_pool_new(entropy, min_len, max_len); | |||
| pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); | |||
There was a problem hiding this comment.
So to be consistent, the secure flag should be inherited from the DRBG to its pool, agreed?
Yes. That happens here.
| @@ -110,7 +110,7 @@ size_t rand_crngt_get_entropy(RAND_DRBG *drbg, | |||
| if (crngt_glob == NULL) | |||
| return 0; | |||
|
|
|||
| if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL) | |||
| if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) | |||
| @@ -149,7 +149,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, | |||
| pool = drbg->seed_pool; | |||
| pool->entropy_requested = entropy; | |||
| } else { | |||
| pool = rand_pool_new(entropy, min_len, max_len); | |||
| pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); | |||
| @@ -331,7 +335,7 @@ int RAND_poll(void) | |||
| RAND_POOL *pool = NULL; | |||
|
|
|||
| /* fill random pool and seed the current legacy RNG */ | |||
| pool = rand_pool_new(RAND_DRBG_STRENGTH, | |||
| pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, | |||
|
Merged as 1372560. Thanks! |
The additional data allocates 12K per DRBG instance in the secure memory, which is not necessary. Also nonces are not considered secret. [extended tests] Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9423)
I hadn't noticed either. I'm having difficulty thinking of a plausible use case for a non-secure DRBG. Random numbers are fundamental to security and need to be produced in the safest manner possible. Being able to predict future output would be very bad. I feel that the internal state should always be in secure memory as should the entropy input. I can live with the other inputs not being in secure memory (although it could be argued that the additional input is a kind of weak entropy). Anyway, this might be for another PR. |
|
Was there something with the deterministic ecdsa signature, where a drbg would |
|
Yes, it reuses one of the DRBG constructions. |
@paulidale @mspncp how about this?