Re: [PATCH]

• Previous message: Alexander Y. Fomichev: "2.6.8-rc3: Oops: scheduling while atomic under memory pressure"
• In reply to: James Morris: "Re: [PATCH]"
• Next in thread: David S. Miller: "Re: [PATCH]"
• Reply: David S. Miller: "Re: [PATCH]"
• Reply: Matt Mackall: "Re: [PATCH]"
• Reply: Theodore Ts'o: "Re: [PATCH]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Fri, 6 Aug 2004 08:54:27 -0400
To: James Morris <jmorris@redhat.com>

On Fri, Aug 06, 2004 at 12:42:38AM -0400, James Morris wrote:
> On Fri, 6 Aug 2004, Jean-Luc Cooke wrote:
>
> > James,
> > Back to your question:
> > I want to replace the legacy MD5 and the incorrectly implemented SHA-1
> > implementations from driver/char/random.c
>
> Incorrectly implemented? Do you mean not appending the bit count?

That and it's not endian-correct. There are other issues with random.c (lack
for forward secrecy in the case of seed discovery, use of the insecure MD4 in
creating syn and seq# for tcp, the use of halfMD4 and twothridsMD4 is
madness
(what is 2/3's of 16!?!), the use of LFSRs for "mixing" when they're linear,
the polymonials used are not even primitive, the ability for root to wipe-out
the random pool, the ability for root to access the random seed directly, the
paper I'm co-authoring will explain all of this).

Basically, the paper will be describing about 12 security problems with the
current random.c and propose (with patch included) a new design that solves
all of these, uses crypto-api, uses known crypto primitives, is simpler to
read
and analyse and for a bonus is 2x to 4x faster in adding and retrieving data
from the pool.

If I can avoid scatter-gather for what is effectively just mixing bytes with
SHA256
& AES256 then this would make things very neat and tidy (read: easier for
peer review)

Cheers,

JLC
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Alexander Y. Fomichev: "2.6.8-rc3: Oops: scheduling while atomic under memory pressure"
• In reply to: James Morris: "Re: [PATCH]"
• Next in thread: David S. Miller: "Re: [PATCH]"
• Reply: David S. Miller: "Re: [PATCH]"
• Reply: Matt Mackall: "Re: [PATCH]"
• Reply: Theodore Ts'o: "Re: [PATCH]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [PATCH] ... > the polymonials used are not even primitive, the ability for root to wipe-out ... > the random pool, the ability for root to access the random seed directly, the ... > all of these, uses crypto-api, uses known crypto primitives, is simpler to ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) [CODE RFC] redefining sched_setscheduler using LD_PRELOAD ... Do also try (don't try this as root unless rt_monitor is running) ... code that checks uid before using the redefined functions won't work ... (I have an modified latencytest) ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] [3/48] Suspend2 2.1.9.8 for 2.6.12: 301-proc-acpi-sleep-activate-hook.patch ... When the user has an initrd or initramfs, ... image, encryption keys and so on have been set up, but the root fs has ... probably will result in hard disk corruption if they echo to do_resume ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: via-rhine apparently broken in 2.4.23-pre4 ... > VIA Rhine II chip. ... root:~# uname -a ... Now, booting back to 2.6.0-test5;) ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: unsafe printk ... So one day root is using grep on ... Sanitizing kernel messages would be good start, ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)