Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp56497imn; Mon, 25 Jul 2022 10:03:18 -0700 (PDT) X-Google-Smtp-Source: AGRyM1slvvSC0eyRawB2WwgoqiASk5lm/xinvEMwkGrnBpLZuqaTNRA5df5RP4a9X1GyqtvPJOzN X-Received: by 2002:a05:6870:a791:b0:10d:8606:c68b with SMTP id x17-20020a056870a79100b0010d8606c68bmr14086905oao.234.1658768597816; Mon, 25 Jul 2022 10:03:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658768597; cv=none; d=google.com; s=arc-20160816; b=yzPfMLKw0asd5f/AF5/zFNAefoC+JJgk20V3BNHfFHHv1Gj4Qapfp9Afk0BxTNDKkL Q3m77+Zu/rKmrMoHs+I4x9EWtbE23ZPLhjHeop+R9qq6ZruPlPNem6QQFMfrbKsjrOMo mF1ekR4BQyUesIdwIUad7K1Rcj6wCr8lCCt6LKiSBNM2f8qypYJK5VxECwTbv5b93f5G qy+rGmA8yS20m/2MoXIFI4kUxCk3VeOuItPMFloINv2bxXGsdpYRe2zPKmYd/MfhELgR IAV99yWx4ASdfgFoa9676wpF1RU+PCZf2OvaDpv3Yk2dOJeIffXzs304AkxfUJxb+NcU /pIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=22CxmZdXpJu6JrRTMoV2Dy7SVbqDOus6U00qu/Ti6MM=; b=cKYZRyiVu86TJr/AllHRjUe4xCKBEhnnO6ML5xKAvzHRbmbT4tVn0q+ER2WlK1fvR4 ZGSyK1AVAhqqYUub8pnAVpqW+l32zLk2IHYIgBhSC5PF3aV55kJBfHmhavd1FfKMA8bo 3nTGtnDOEbCpv2546WpL1NM3Kpu7xoy5pN9WOQQrIipBw/tZJv+Iwt41wEm9DKg5CJVq A2ouiLKisS9kIJkQaKwc28v1DoCGRKDkRZt4rTIyIBhEq+Wo/ho0/worzpNzhP+Y88EZ ovBkkSdlUYTe5APTeOz23Vy12FLvWS6A8Ow5mYdPRz1qD+49KgjQb+U0xyufNogveO0p brRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=mDLPBw1G; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bb41-20020a05680816a900b0033a9bd27eefsi9300183oib.161.2022.07.25.10.03.01; Mon, 25 Jul 2022 10:03:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=mDLPBw1G; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233791AbiGYQvo (ORCPT + 99 others); Mon, 25 Jul 2022 12:51:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47504 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233698AbiGYQvn (ORCPT ); Mon, 25 Jul 2022 12:51:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD9F91D0CD for ; Mon, 25 Jul 2022 09:51:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6AE2F61335 for ; Mon, 25 Jul 2022 16:51:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C42F2C341CE; Mon, 25 Jul 2022 16:51:40 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="mDLPBw1G" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1658767899; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=22CxmZdXpJu6JrRTMoV2Dy7SVbqDOus6U00qu/Ti6MM=; b=mDLPBw1GzW175CQRiaKqG9jEQqy4BuRSVkd22sDkRytDhgal6JQepY12lSdB9xUunNpITI UJfc8mJ2bFdXcCx/sKX4FUti53jzAD/ZpIz/xop8AQyTEH9zaglVh/LiJ/x0ue0XADGUnm yhZv51h2c1iZDZ845Bd5ug4UlxtRJRg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id cb71a268 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Mon, 25 Jul 2022 16:51:38 +0000 (UTC) Date: Mon, 25 Jul 2022 18:51:36 +0200 From: "Jason A. Donenfeld" To: Florian Weimer Cc: Rich Felker , Adhemerval Zanella Netto , libc-alpha@sourceware.org, Yann Droneaud , jann@thejh.net, Michael@phoronix.com, Paul Eggert , linux-crypto@vger.kernel.org Subject: Re: arc4random - are you sure we want these? Message-ID: References: <6bf352e9-1312-40de-4733-3219721b343c@linaro.org> <20220725153303.GF7074@brightrain.aerifal.cx> <878rohp2ll.fsf@oldenburg.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <878rohp2ll.fsf@oldenburg.str.redhat.com> X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Florian, On Mon, Jul 25, 2022 at 06:40:54PM +0200, Florian Weimer wrote: > The core issue is that on some kernels/architectures, reading from > /dev/urandom can degrade to GRND_INSECURE (approximately), and while the > result is likely still unpredictable, not everyone would label that as a > CSPRNG. On some old kernels (though I think not all?), you can poll on /dev/random. This isn't perfect, as the ancient "non blocking pool" initialized after the "blocking pool", but it's not too imperfect either. Take a look at the previously linked random-util.c. > If we document arc4random as a CSPRNG, this means that we would have to > ditch the fallback code and abort the process if the getrandom system > call is not available: when reading from /dev/urandom as a fallback, we > have no way of knowing if we are in any of the impacted execution > environments. Based on your other comments, it seems that you are > interested in such fallbacks, too, but I don't think you can actually > have both (CSPRNG + fallback). > > And then there is the certification issue. We really want applications > that already use OpenSSL for other cryptography to use RAND_bytes > instead of arc4random. Likewise for GNUTLS and gnutls_rnd. What should > authors of those cryptographic libraries? That's less clear, and really > depends on the constraints they operate in (e.g., they may target only a > subset of architectures and kernel versions). I think all of this is yet another indication that there are some major things to work out -- should we block or not? is buffering safe? is the interface correct? -- and so we should just back out the arc4random commit until this has been explored a bit more. We're not gaining anything from rushing this, especially as a "source code compatibility" thing, if there's not even agreement between OSes on what the function does inside. Jason PS: please try to keep linux-crypto@vger.kernel.org CC'd. I've been bouncing these manually when not, but it's hard to keep up with that.