| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmME9oLau3HhirPE-B=z-BVv7fph7Ws=smzsa6_SZGxY__auA@mail.gmail.com>
Date: Sun, 18 Jun 2017 21:11:20 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: "Theodore Ts'o" <tytso@....edu>,
Stephan Müller <smueller@...onox.de>,
kernel-hardening@...ts.openwall.com,
Michael Ellerman <mpe@...erman.id.au>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
David Miller <davem@...emloft.net>,
Eric Biggers <ebiggers3@...il.com>
Subject: Re: [kernel-hardening] Re: [PATCH v4 13/13] random: warn when kernel
uses unseeded randomness
On Sun, Jun 18, 2017 at 5:46 PM, Theodore Ts'o <tytso@....edu> wrote:
> You are effectively proposing that there ought to be a middle range of
> security between prandom_32, get_random_u32/get_random_u64 and
> get_random_bytes(). I think that's going to lead to all sorts of
> complexity and bugs from people not understanding when they should use
> get_random_u32 vs get_random_bytes versus prandom_u32. And then we'll
> end up needing to audit all of the callsites for get_random_u32() so
> they don't violate this new usage rule that you are proposing.
I agree with you wholeheartedly.
get_random_* provides the secure random numbers.
prandom_* provides the insecure random numbers.
Introducing some kind of middle ground will result in needless
complexity and inevitable bugs.
Powered by blists - more mailing lists