Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp302511imn; Mon, 25 Jul 2022 17:11:14 -0700 (PDT) X-Google-Smtp-Source: AGRyM1u0ZhJKte8n5kf5WRmSUIppqHOWYXDC+o8B5TlsaC7+t0/bhE2T+4LSPLvgSYuBrpvBp6IN X-Received: by 2002:a17:906:730b:b0:72b:2f3d:299a with SMTP id di11-20020a170906730b00b0072b2f3d299amr11685711ejc.583.1658794273836; Mon, 25 Jul 2022 17:11:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658794273; cv=none; d=google.com; s=arc-20160816; b=tEtgagH4DP1ijQL04FOUAWPsZdLGXsfddCP3AqBJfzpiFV21TendU6eHiO5FHohfVg /fccmearkfBsHrc5OxFWJ5ZCzkOHF0QykPqdS9bwZR/dJvgN8I6hhUl5dgw4dCHGSv5F Vlbw7FsRrGBxWkO23NsGkQRCh3ua/eEGNvgTPLd5yLmpkz+MYPpTi4R1dHAANaLhF6BN fsHyEz5gDBtMjamy4W2veIfL18KDFpd9p8/3Lj+LW3osXIbeCpYcCd9sUrHNFgtFwQzY 749gZTSxxZS79cEk9cmuqqP/5rEjwi34Dkqa4kWmGa1/DlnJ4kU4FOKwx2Xh/6oC42I5 ubmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=YUmywLRn+orXZi0Fi8UQhh2iY/dZwuLS2+oyceokwas=; b=WVsKqtZoimLxZC2oGmLMwJFgNyVceNGxM6oPcXcutHI1F66bHc4aEb3hczSmRv4kRG FyJfrc9NA9S84c8YpBIElF8ercSQjrKrTlI1jBB42P/rYsbKh5+FQ2BU5UOBql41Rvbj QWdy+iUZR0xdnqRUFDsBCYM5BM1K7AEwXgNP+pcyoDgfyP+1fuj2xHrIPbd7VD1Ci7H0 BGc3sjHxyhIeVJcaWZ98Oyt41QosG1vQTHLMq2rfu2FlsgbkQcqBIEERtsEGam6yQSNF UQGoqC7VH3FxBOVTbPEyhC6MJ9eGt51yswEzOXuH9fuXowwRJ5FfOkWLjLdMcByvcq/u eZ6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=BF2XFs1z; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id la12-20020a170906ad8c00b0070c519c7b69si12353763ejb.409.2022.07.25.17.10.37; Mon, 25 Jul 2022 17:11:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=BF2XFs1z; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229845AbiGYX7Y (ORCPT + 99 others); Mon, 25 Jul 2022 19:59:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229807AbiGYX7X (ORCPT ); Mon, 25 Jul 2022 19:59:23 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 961B527FCA for ; Mon, 25 Jul 2022 16:59:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 46F94B81135 for ; Mon, 25 Jul 2022 23:59:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C2730C341C6; Mon, 25 Jul 2022 23:59:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1658793560; bh=WNjsHKxZrxJu30Nh9hFxA4BLbFlFjByDPjlC0lpsORs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=BF2XFs1zwAuO7H2i4MtxI+a4D2RqmQ6C5qSnfG4dzRm1OrwYZ6QV34se63sgNdJi0 pfLT/6xny62RbbWLKf3+zufc7BZQ7yO+ZNoVbtsMn8kZ0y5olpNHpUL3Yhi8Ev+JHS DvPH8BipDnIC8vgYPrQAM30LrBDDu8Mf6BHr0gqj/Ikpvi/TCgw0b1L2skLyE5RoOE 98szFyEB8ttLDOqzt+KAe0Hj8dn19FMl/MCY2YWLqEK/qQvRxUbkS6ud7FCojiktRY kgGINyFO/i3NK7fciLgor8YyPtJ9FboEiYTYmP8sEqb5V6FeyKpGP94wsNoKsq7bRt Kytk942ZidMOQ== Date: Mon, 25 Jul 2022 16:59:17 -0700 From: Eric Biggers To: "Jason A. Donenfeld" Cc: libc-alpha@sourceware.org, Adhemerval Zanella Netto , Florian Weimer , Cristian =?iso-8859-1?Q?Rodr=EDguez?= , Paul Eggert , linux-crypto@vger.kernel.org Subject: Re: [PATCH v2] arc4random: simplify design for better safety Message-ID: References: <20220725225728.824128-1-Jason@zx2c4.com> <20220725232810.843433-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220725232810.843433-1-Jason@zx2c4.com> X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Jul 26, 2022 at 01:28:10AM +0200, Jason A. Donenfeld wrote: > Rather than buffering 16 MiB of entropy in userspace (by way of > chacha20), simply call getrandom() every time. > > This approach is doubtlessly slower, for now, but trying to prematurely > optimize arc4random appears to be leading toward all sorts of nasty > properties and gotchas. Instead, this patch takes a much more > conservative approach. The interface is added as a basic loop wrapper > around getrandom(), and then later, the kernel and libc together can > work together on optimizing that. > > This prevents numerous issues in which userspace is unaware of when it > really must throw away its buffer, since we avoid buffering all > together. Future improvements may include userspace learning more from > the kernel about when to do that, which might make these sorts of > chacha20-based optimizations more possible. The current heuristic of 16 > MiB is meaningless garbage that doesn't correspond to anything the > kernel might know about. So for now, let's just do something > conservative that we know is correct and won't lead to cryptographic > issues for users of this function. > > This patch might be considered along the lines of, "optimization is the > root of all evil," in that the much more complex implementation it > replaces moves too fast without considering security implications, > whereas the incremental approach done here is a much safer way of going > about things. Once this lands, we can take our time in optimizing this > properly using new interplay between the kernel and userspace. > > getrandom(0) is used, since that's the one that ensures the bytes > returned are cryptographically secure. But on systems without it, we > fallback to using /dev/urandom. This is unfortunate because it means > opening a file descriptor, but there's not much of a choice. Secondly, > as part of the fallback, in order to get more or less the same > properties of getrandom(0), we poll on /dev/random, and if the poll > succeeds at least once, then we assume the RNG is initialized. This is a > rough approximation, as the ancient "non-blocking pool" initialized > after the "blocking pool", not before, but it's the best approximation > we can do. > > The motivation for including arc4random, in the first place, is to have > source-level compatibility with existing code. That means this patch > doesn't attempt to litigate the interface itself. It does, however, > choose a conservative approach for implementing it. > > Cc: Adhemerval Zanella Netto > Cc: Florian Weimer > Cc: Cristian Rodr?guez > Cc: Paul Eggert > Cc: linux-crypto@vger.kernel.org > Signed-off-by: Jason A. Donenfeld This looks good to me. There are still a few bits that need to be removed/updated. With a quick grep, I found: sysdeps/generic/tls-internal-struct.h: struct arc4random_state_t *rand_state; sysdeps/unix/sysv/linux/tls-internal.h:/* Reset the arc4random TCB state on fork. * NEWS: ... The functions use a pseudo-random number generator along with NEWS: entropy from the kernel. Also, the documentation in manual/math.texi should say that the randomness is cryptographically secure. - Eric