lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Feb 2019 13:23:55 -0500 From: "Theodore Y. Ts'o" <tytso@....edu> To: Bernd Edlinger <bernd.edlinger@...mail.de> CC: Arnd Bergmann <arnd@...db.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCHv2] random: Make /dev/random wait for crng_ready On Fri, Feb 15, 2019 at 01:58:20PM +0000, Bernd Edlinger wrote: > Reading from /dev/random may return data while the getrandom > syscall is still blocking. > > Those bytes are not yet cryptographically secure. > > The first byte from /dev/random can have as little > as 8 bits entropy estimation. Once a read blocks, it will > block until /proc/sys/kernel/random/read_wakeup_threshold > bits are available, which is usually 64 bits, but can be > configured as low as 8 bits. A select will wake up when > at least read_wakeup_threshold bits are available. > Also when constantly reading bytes out of /dev/random > it will prevent the crng init done event forever. > > Fixed by making read and select on /dev/random wait until > the crng is fully initialized. > > Signed-off-by: Bernd Edlinger <bernd.edlinger@...mail.de> This really isn't a correct way to fix things; since the blocking_pool used for /dev/random and the CRNG state are different things, and are fed by different sources of entropy. What we should do is to have a separate flag which indicates that the blocking_pool has been adequately initialized, and set it only when the entropy count in the blocking pool is at least 128 bits. When get woken up by the reader lock, we would transfer entropy from the input pool to the blocking pool, and if the pool is not yet initializedm, and the entropy count is less than 128 bits, we wait until it is. - Ted
Powered by blists - more mailing lists