diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-07-19 20:39:44 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-07-19 20:39:44 +0100 |
commit | 54eca75a4e3e380e1d386f4d235baeb7d4ff332e (patch) | |
tree | 5f59a3e7b9069e5ab5ae4c5b46184560dc318692 /sys-apps/systemd | |
parent | fc7e841956ae3cc385629bf33433de23a6d04db6 (diff) |
gentoo auto-resync : 19:07:2022 - 20:39:44
Diffstat (limited to 'sys-apps/systemd')
-rw-r--r-- | sys-apps/systemd/Manifest | 1 | ||||
-rw-r--r-- | sys-apps/systemd/files/250.4-random-seed-hash.patch | 74 |
2 files changed, 0 insertions, 75 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest index c674c0624824..67b5a761de0b 100644 --- a/sys-apps/systemd/Manifest +++ b/sys-apps/systemd/Manifest @@ -1,5 +1,4 @@ AUX 00-hostnamed-network-user.conf 227 BLAKE2B 0cc780a2ea9f31f08be01184704e4fa8b4b95e4c82b7e2dd4127f82c594a5cd7c8f865a83ae5f1284e58a7fd120ee9a9f4f586b7e479d21f1e8adf26e8e61238 SHA512 97e8decd802de8581fb546e3a714376fbd065108f3edfed54a1036d93df02f9947c358aec9aa4841a766c9120fa20c69eb7867bb4d2bd7339d8bd89c43235b2b -AUX 250.4-random-seed-hash.patch 3300 BLAKE2B 3a952e18ebc8075853943e57730b2f9cf0ac31e2161fce992d11df483a57fc777b74b212c243260ddb6255b2bfe6ac64ba4abfedd236d2cae5e18150e2e3d859 SHA512 4ade52e055d6ccd252221354125e3155c9398452a470b45dc15967fd354d94f4ef94437626c6063762c1c83243d65ec57b0b8d326b769514dbd76f2644925b39 AUX 251-format-string.patch 1038 BLAKE2B 2b7400516fd93bdaa887e6203b44e656ccc27ddd963264c2ae1a360c5899cbd42417e66f72fb8c02366a64371257d782d9c34e5288b17e357edebdb55da939c8 SHA512 d300bdcad16485a92c80df575c403fabbdcd4e8c71251e56147b0d85c2a2e8d271eb055b5f188a184cb652c22ce428176355f322e679b88bb8db90610e63c1a4 AUX 251-revert-fortify-source-3-fix.patch 2059 BLAKE2B 5b34062821f2097fc622ffc66d83029267173b2b4131b29d9339644577b7e80c513c83f62d07ba3e030c2a861efe7d399bd871cc35803b39940f7ec0e7bacfec SHA512 14c5ac8d0343a4cb50de6c56124e515b159cf5f9bf358404ba41ec7a9c439206673e0d44888164ff3872236c7b8c74f5ea9544ea7a981a3b5930585dabcd4782 AUX gentoo-generator-path-r2.patch 994 BLAKE2B 2bfb42623221291030fa9f7310e9bf747351a26f6ffd842628298787b74d4ec562bacaa9fc5365f7e854f695dab5f74bc06883fefc1f210dce4fd415926817ac SHA512 98054222ea232e120625573b6a532c312eccc02fe657152610b7d056b964bb2165fffae9d17fd986cf547af885d44c26b117fe68df5b24e2607d37f3729d0ada diff --git a/sys-apps/systemd/files/250.4-random-seed-hash.patch b/sys-apps/systemd/files/250.4-random-seed-hash.patch deleted file mode 100644 index efaa8cdfcaac..000000000000 --- a/sys-apps/systemd/files/250.4-random-seed-hash.patch +++ /dev/null @@ -1,74 +0,0 @@ -https://github.com/systemd/systemd-stable/commit/ed46ff2bd6ca21d83cae4a94c3ed752ad1b64cce - -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Mon, 3 Jan 2022 18:11:32 +0100 -Subject: [PATCH] random-seed: hash together old seed and new seed before - writing out file - -If we're consuming an on-disk seed, we usually write out a new one after -consuming it. In that case, we might be at early boot and the randomness -could be rather poor, and the kernel doesn't guarantee that it'll use -the new randomness right away for us. In order to prevent the new -entropy from getting any worse, hash together the old seed and the new -seed, and replace the final bytes of the new seed with the hash output. -This way, entropy strictly increases and never regresses. - -(cherry picked from commit da2862ef06f22fc8d31dafced6d2d6dc14f2ee0b) ---- a/src/random-seed/random-seed.c -+++ b/src/random-seed/random-seed.c -@@ -26,6 +26,7 @@ - #include "random-util.h" - #include "string-util.h" - #include "sync-util.h" -+#include "sha256.h" - #include "util.h" - #include "xattr-util.h" - -@@ -106,9 +107,11 @@ static int run(int argc, char *argv[]) { - _cleanup_close_ int seed_fd = -1, random_fd = -1; - bool read_seed_file, write_seed_file, synchronous; - _cleanup_free_ void* buf = NULL; -+ struct sha256_ctx hash_state; -+ uint8_t hash[32]; - size_t buf_size; - struct stat st; -- ssize_t k; -+ ssize_t k, l; - int r; - - log_setup(); -@@ -242,6 +245,16 @@ static int run(int argc, char *argv[]) { - if (r < 0) - log_error_errno(r, "Failed to write seed to /dev/urandom: %m"); - } -+ /* If we're going to later write out a seed file, initialize a hash state with -+ * the contents of the seed file we just read, so that the new one can't regress -+ * in entropy. */ -+ if (write_seed_file) { -+ sha256_init_ctx(&hash_state); -+ if (k < 0) -+ k = 0; -+ sha256_process_bytes(&k, sizeof(k), &hash_state); -+ sha256_process_bytes(buf, k, &hash_state); -+ } - } - - if (write_seed_file) { -@@ -277,6 +290,17 @@ static int run(int argc, char *argv[]) { - "Got EOF while reading from /dev/urandom."); - } - -+ /* If we previously read in a seed file, then hash the new seed into the old one, -+ * and replace the last 32 bytes of the seed with the hash output, so that the -+ * new seed file can't regress in entropy. */ -+ if (read_seed_file) { -+ sha256_process_bytes(&k, sizeof(k), &hash_state); -+ sha256_process_bytes(buf, k, &hash_state); -+ sha256_finish_ctx(&hash_state, hash); -+ l = MIN(k, 32); -+ memcpy((uint8_t *)buf + k - l, hash, l); -+ } -+ - r = loop_write(seed_fd, buf, (size_t) k, false); - if (r < 0) - return log_error_errno(r, "Failed to write new random seed file: %m"); |