On 08/01/2021 23:20, Paul Eggert wrote:
> On 1/4/21 9:03 AM, Adhemerval Zanella wrote:
>> For __GT_NOCREATE (mktemp, tempnam, tmpnam) getrandom is also used
>> on first try, otherwise randomness is obtained using the clock plus
>> a linear congruential generator.
>
> Why not use getrandom in the first try also for __GT_DIR (mkdtemp) and
> __GT_FILE (mkostemp, mkostemps, mkstemp, mkstemps, tmpfile)? That is what
> Gnulib tempname.c is doing now. This not only simplifies the code, it
> improves resistance to some (admittedly less-likely) attacks.
The idea is to always issue getrandom for __GT_DIR or __GT_FILE on first try,
as you suggested initially [1]. I followed your idea [2]:
Here's an idea: use getrandom in the first try only for the __GT_NOCREATE
case.
Although a bit more complicated, I expect this would address both your
entropy
and my security concerns.
The current code should address Jakub concerns of using getrandom without
GRND_NONBLOCK and not using on on first try (to avoid deplete the random
entropy pool) and use getrandom only when a collision if found. I will merge
the code, close the bug, and we can work whether use getrandom only for
__GT_DIR/__GT_FILE is an improvement or not.
>
>> Also for getrandom GRND_NONBLOCK is used to avoid blocking indefinitely
>> on some older kernels.
>
> Thanks, I installed that part of the proposal into Gnulib by installing the
> attached. The idea is for tempname.c to be identical after we get the
> abovementioned issue worked out.
[1] https://sourceware.org/pipermail/libc-alpha/2020-September/117535.html
[2] https://sourceware.org/pipermail/libc-alpha/2020-September/117539.html
