diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-12 16:32:59 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-12 17:02:12 +0200 |
| commit | 401294f7526de40a15c06997fceae58278807d22 (patch) | |
| tree | 0b800c0a7c23f8cc7cf5cdea21ac13d3b84402e4 /src/cookie.c | |
| parent | version: bump snapshot (diff) | |
| download | wireguard-monolithic-historical-401294f7526de40a15c06997fceae58278807d22.tar.xz wireguard-monolithic-historical-401294f7526de40a15c06997fceae58278807d22.zip | |
random: wait for random bytes when generating nonces and ephemerals
We can let userspace configure wireguard interfaces before the RNG is
fully initialized, since what we mostly care about is having good
randomness for ephemerals and xchacha nonces. By deferring the wait to
actually asking for the randomness, we give a lot more opportunity for
gathering entropy. This won't cover entropy for hash table secrets or
cookie secrets (which rotate anyway), but those have far less
catastrophic failure modes, so ensuring good randomness for elliptic
curve points and nonces should be sufficient.
Diffstat (limited to 'src/cookie.c')
| -rw-r--r-- | src/cookie.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cookie.c b/src/cookie.c index 21b7c7b..ce22b53 100644 --- a/src/cookie.c +++ b/src/cookie.c @@ -161,7 +161,7 @@ void cookie_message_create(struct message_handshake_cookie *dst, struct sk_buff dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE); dst->receiver_index = index; - get_random_bytes(dst->nonce, COOKIE_NONCE_LEN); + get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN); make_cookie(cookie, skb, checker); xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, macs->mac1, COOKIE_LEN, dst->nonce, checker->cookie_encryption_key); |