On Tue, Feb 01, 2022 at 05:40:11PM +0800, Sandy Harris wrote: > Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > Either way, I don't think this is safe to do. We want the feed forward > > there to totally separate generations of seeds. > > Yes, but the right way to do that is to lock the chacha context > in the reseed function and call extract_buf() while that lock > is held. I'll send a patch for that soon. Extract_buf() is supposed to be able to reliably generate high quality randomness; that's why we use it for the chacha reseed. If extract_buf() can return return the same value for two parallel calls to extract_buf(), that's a Bad Thing. For example, suppose there were two chacha contexts reseeding using extract_buf(), and they were racing against each other on two different CPU's. Having two of them reseed with the same value would be a cryptographic weakness. NACK to both patches. - Ted