diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-04-30 00:47:17 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-04-30 00:47:17 +0300 |
| commit | bdda8303f764d844e7b2fb69e5fd21c650c60943 (patch) | |
| tree | c1e19e24009f14fb6e3d5174082aa0be3b1b7d92 /drivers | |
| parent | bd383b8e32f6aab08c9485b1fe86e2e932b1df69 (diff) | |
| parent | 5a7e470e460fb90657343d843732325e53bb875f (diff) | |
| download | linux-bdda8303f764d844e7b2fb69e5fd21c650c60943.tar.xz | |
Merge tag 'random-5.18-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random
Pull random number generator fixes from Jason Donenfeld:
- Eric noticed that the memmove() in crng_fast_key_erasure() was bogus,
so this has been changed to a memcpy() and the confusing situation
clarified with a detailed comment.
- [Half]SipHash documentation updates from Bagas and Eric, after Eric
pointed out that the use of HalfSipHash in random.c made a bit of the
text potentially misleading.
* tag 'random-5.18-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
Documentation: siphash: disambiguate HalfSipHash algorithm from hsiphash functions
Documentation: siphash: enclose HalfSipHash usage example in the literal block
Documentation: siphash: convert danger note to warning for HalfSipHash
random: document crng_fast_key_erasure() destination possibility
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/char/random.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 3a293f919af9..4c9adb4f3d5d 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -318,6 +318,13 @@ static void crng_reseed(bool force) * the resultant ChaCha state to the user, along with the second * half of the block containing 32 bytes of random data that may * be used; random_data_len may not be greater than 32. + * + * The returned ChaCha state contains within it a copy of the old + * key value, at index 4, so the state should always be zeroed out + * immediately after using in order to maintain forward secrecy. + * If the state cannot be erased in a timely manner, then it is + * safer to set the random_data parameter to &chacha_state[4] so + * that this function overwrites it before returning. */ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], u32 chacha_state[CHACHA_STATE_WORDS], @@ -333,7 +340,7 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], chacha20_block(chacha_state, first_block); memcpy(key, first_block, CHACHA_KEY_SIZE); - memmove(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); + memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); memzero_explicit(first_block, sizeof(first_block)); } |