Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1781630pxb; Wed, 2 Feb 2022 12:22:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJz/cSSm9xVP+zRlKIpjQuQeZUPjgCZYxag8VrYsFnZPSd2u9hJETgANggVPUHAIFpiQxvZC X-Received: by 2002:a17:902:b48c:: with SMTP id y12mr32862218plr.165.1643833322226; Wed, 02 Feb 2022 12:22:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643833322; cv=none; d=google.com; s=arc-20160816; b=DAOkzjURfaWmGSHuwG4sn00mLNaBbNLoBpdX0S3dVM+r7WQUner0vKq0uQMfXvTxsr OrAOi//f2iJSQSapmBV5fdt2zU1T18xiSThLSD/H32tDNRpmjkGYsS4wskFdG/s6CljM OEcpL2yZLmwPGiPtoPJBslWYydPV8iO0Mt4ZdI7TY1y6GTLd2XXoz9SV2El7ETTJzioS igWH03B19GDaxkqIiAy0P8kQmCjv+Fgh2VK7KRESdMdAQx+1ddvZltXjl2aKRrlOspUJ QYeHsPxHqQpdaH7QavbHkFJYVdCuKR23ml9GWGSb9N2ncmTa0fEFHjzdy5xwb3B/k0PQ jxeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=iRWyH+sgk9wORMMyVPPIrm2GZJeL70A/hRD0Sy7VMoI=; b=Y37N/5MLS9xyJKMHSBptdApWeQj2QA7GZYZofpObdL2QOYN3iBUoDCeC6PzaxxEU8j /UU8kUbIWRKpQFxs7g0FVEC1eOrkQzpfQGbrFcYpIdrxpYz48X7QvSNsGRkInhIxE6y/ o4b2SBhIwCGK1oPDIn/Wp9yZrq3eqM797005+lYe1eH/0lUaOvEaR6omo3WPEtBOzK8e w7mzWU4XPu2T0j4WbfSBZt2oxNS4JyN6GQGqbm5HZmlljpboqIyAKlVJxWxP414hqsTD clkElQcZ3btx7EMxjD/jo4OPJVuslGBmWJnCxALjBdL18Dzv+Jfx28JLqkB8W4XenXzO bizw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z1si22023301plg.542.2022.02.02.12.21.47; Wed, 02 Feb 2022 12:22:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240797AbiBAQD2 (ORCPT + 99 others); Tue, 1 Feb 2022 11:03:28 -0500 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:53020 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S240788AbiBAQD2 (ORCPT ); Tue, 1 Feb 2022 11:03:28 -0500 Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 211G3FRg023102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 1 Feb 2022 11:03:15 -0500 Received: by cwcc.thunk.org (Postfix, from userid 15806) id 351DA15C0040; Tue, 1 Feb 2022 11:03:15 -0500 (EST) Date: Tue, 1 Feb 2022 11:03:15 -0500 From: "Theodore Ts'o" To: Sandy Harris Cc: "Jason A. Donenfeld" , Linux Crypto Mailing List , m@ib.tc, Herbert Xu Subject: Re: [PATCH] random.c Remove locking in extract_buf() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Feb 01, 2022 at 05:40:11PM +0800, Sandy Harris wrote: > Jason A. Donenfeld wrote: > > > Either way, I don't think this is safe to do. We want the feed forward > > there to totally separate generations of seeds. > > Yes, but the right way to do that is to lock the chacha context > in the reseed function and call extract_buf() while that lock > is held. I'll send a patch for that soon. Extract_buf() is supposed to be able to reliably generate high quality randomness; that's why we use it for the chacha reseed. If extract_buf() can return return the same value for two parallel calls to extract_buf(), that's a Bad Thing. For example, suppose there were two chacha contexts reseeding using extract_buf(), and they were racing against each other on two different CPU's. Having two of them reseed with the same value would be a cryptographic weakness. NACK to both patches. - Ted