Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()

From: Theodore Ts'o
Date: Mon Jan 03 2022 - 11:39:03 EST

Next message: Christian Hewitt: "[PATCH v2 0/9] arm64: dts: meson: add support for aac2xx devices"
Previous message: Jason A. Donenfeld: "Re: [PATCH] random: reseed in RNDRESEEDCRNG for the !crng_ready() case"
In reply to: Jason A. Donenfeld: "Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()"
Next in thread: Jason A. Donenfeld: "Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 03, 2022 at 05:03:57PM +0100, Jason A. Donenfeld wrote:
> On Mon, Jan 3, 2022 at 4:59 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
> > This code was inconsistent, and it probably made things worse - just get
> > rid of it.
>
> Rather than adding crng_init_cnt=0 if crng_init<1 to extract_crng_user
> and get_random_bytes, getting rid of it like this seems probably okay
> and makes the model simpler. I'll apply this. Thank you.

Ack. It does mean that we're making a choice that an attacker who is
carrying out a incremental state tracking attack on the CRNG will make
/dev/urandom (and getrandom) to make the crng emit "less secure" in
the period when crng_init is > 0 and < 2. On the other hand, this
allows us to get to the state of crng_init=2 faster, where as before,
the attacker could delay getting us to the state crng_init=1 forever,
where reads from /dev/urandom would be hence be insecure forever (and
getrandom() would block forever).

- Ted

Next message: Christian Hewitt: "[PATCH v2 0/9] arm64: dts: meson: add support for aac2xx devices"
Previous message: Jason A. Donenfeld: "Re: [PATCH] random: reseed in RNDRESEEDCRNG for the !crng_ready() case"
In reply to: Jason A. Donenfeld: "Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()"
Next in thread: Jason A. Donenfeld: "Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]