[src/netbsd-6-0]: src/sys/kern Pull up following revision(s) (requested by tl...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e3633cfccc3e
branches:  netbsd-6-0
changeset: 774746:e3633cfccc3e
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sat Jan 26 21:36:10 2013 +0000

description:
Pull up following revision(s) (requested by tls in ticket #800):
        sys/kern/subr_cprng.c: revision 1.15
Fix a security issue: when we are reseeding a PRNG seeded early in boot
before we had ever had any entropy, if something else has consumed the
entropy that triggered the immediate reseed, we can reseed with as little
as sizeof(int) bytes of entropy.

diffstat:

 sys/kern/subr_cprng.c |  30 ++++++++++++++++++++++--------
 1 files changed, 22 insertions(+), 8 deletions(-)

diffs (84 lines):

diff -r 97d170a7b5ea -r e3633cfccc3e sys/kern/subr_cprng.c
--- a/sys/kern/subr_cprng.c     Sun Jan 13 19:09:32 2013 +0000
+++ b/sys/kern/subr_cprng.c     Sat Jan 26 21:36:10 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $ */
+/*     $NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include <sys/cprng.h>
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.3 2012/05/21 16:49:54 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.3.4.1 2013/01/26 21:36:10 bouyer Exp $");
 
 void
 cprng_init(void)
@@ -84,6 +84,8 @@
                                 &cc, sizeof(cc))) {
                panic("cprng %s: nist_ctr_drbg_reseed failed.", c->name);
        }
+       memset(c->reseed.data, 0, c->reseed.len);
+
 #ifdef RND_VERBOSE
        printf("cprng %s: reseeded with rnd_filled = %d\n", c->name,
                                                            rnd_filled);
@@ -154,6 +156,17 @@
        mutex_exit(&c->mtx);
 }
 
+static size_t
+cprng_entropy_try(uint8_t *key, size_t keylen, int hard)
+{
+       int r;
+       r = rnd_extract_data(key, keylen, RND_EXTRACT_GOOD);
+       if (r != keylen && !hard) {
+               rnd_extract_data(key + r, keylen - r, RND_EXTRACT_ANY);
+       }
+       return r;
+}
+
 cprng_strong_t *
 cprng_strong_create(const char *const name, int ipl, int flags)
 {
@@ -183,15 +196,13 @@
 
        selinit(&c->selq);
 
-       r = rnd_extract_data(key, sizeof(key), RND_EXTRACT_GOOD);
+       r = cprng_entropy_try(key, sizeof(key), c->flags & CPRNG_INIT_ANY);
        if (r != sizeof(key)) {
                if (c->flags & CPRNG_INIT_ANY) {
 #ifdef DEBUG
                        printf("cprng %s: WARNING insufficient "
                               "entropy at creation.\n", name);
 #endif
-                       rnd_extract_data(key + r, sizeof(key - r),
-                                        RND_EXTRACT_ANY);
                } else {
                        hard++;
                }
@@ -233,15 +244,18 @@
                if (c->flags & CPRNG_REKEY_ANY) {
                        uint8_t key[NIST_BLOCK_KEYLEN_BYTES];
 
-                       printf("cprng %s: WARNING pseudorandom rekeying.\n",
-                              c->name);
-                        rnd_extract_data(key, sizeof(key), RND_EXTRACT_ANY);
+                       if (cprng_entropy_try(key, sizeof(key), 0) !=
+                           sizeof(key)) {
+                               printf("cprng %s: WARNING "
+                                      "pseudorandom rekeying.\n", c->name);
+                       }
                        cc = cprng_counter();
                        if (nist_ctr_drbg_reseed(&c->drbg, key, sizeof(key),
                            &cc, sizeof(cc))) {
                                panic("cprng %s: nist_ctr_drbg_reseed "
                                      "failed.", c->name);
                        }
+                       memset(key, 0, sizeof(key));
                } else {
                        int wr;