Re: [PATCH] random.c Remove locking in extract_buf()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 01, 2022 at 05:40:11PM +0800, Sandy Harris wrote:
> Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> 
> > Either way, I don't think this is safe to do. We want the feed forward
> > there to totally separate generations of seeds.
> 
> Yes, but the right way to do that is to lock the chacha context
> in the reseed function and call extract_buf() while that lock
> is held. I'll send a patch for that soon.

Extract_buf() is supposed to be able to reliably generate high quality
randomness; that's why we use it for the chacha reseed.  If
extract_buf() can return return the same value for two parallel calls
to extract_buf(), that's a Bad Thing.  For example, suppose there were
two chacha contexts reseeding using extract_buf(), and they were
racing against each other on two different CPU's.  Having two of them
reseed with the same value would be a cryptographic weakness.

NACK to both patches.

       	    	     	   	    - Ted
				    



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux