Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp54309imn; Wed, 27 Jul 2022 15:03:35 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vK0QpAqRNW1HHRwd8Vw/AUuhC05xSYuniVfcZ6CETF/tXK81zr0oXJllaqA2pGiTNQbEnH X-Received: by 2002:a17:902:ba91:b0:16c:6b8e:cd06 with SMTP id k17-20020a170902ba9100b0016c6b8ecd06mr23044185pls.33.1658959415596; Wed, 27 Jul 2022 15:03:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658959415; cv=none; d=google.com; s=arc-20160816; b=lBV2X8hYnT0qoFbVBXc4Z+z3M+ler9yZxQoSLvm8+m85VA0LnMyQ090tkn9F8DEAHX dHsW8sRfb23AbesZrW8rrKki4BSDLXtpZix38MpAVEnElaxE8ndhW7FxJSegjB0O5V1B AkDFaMFl3W9lq5puH/c4e4eV9grGqNx4IA6637mK5MsK6OxKsxgxVmIv7B+XzdBH/0vO 7Ln+D6ZOXvdE9Y5GjoKUlfhXn0MOHFSG1Ft3CS/nTHXHCbNcfIKRoXeCBmqNYVwo7/Ot 1s/qnBWHUVQBFmgeII8g68awzziByV989cFLma5o02cLOTXFa8sD9ry7jHySPhia/+mt avng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=HLw2i172QSshjn11WONgTFrtedYEe1ZUo1Dn/LfxuDA=; b=pVvwepFjjQrJ6DRafmHAXlP83mB599igbvqk1R39VjVeHUvLMY4b4pUI9tNPJlJsZd uyU4WoTgqPg2EwUPn8TDGiRGPGICJOixKpmA5DTDAlcUSmK2PpMMBpLdJ7OeBRc+OtGz oVE3Yk4viEDRM8OmQhEFPkivYumRkyWhByoO6Ss4/610ECvFemshmugvoX40jWUjmmnv VNMPptNHF/uemEzPLXbZndu0+SHx2Su+vigQvdkTQUugOgvIMRjpnn2/yHAM3twO7JkF /jVlaHj7DZzz4EG+W2h2BHM3eVV6KYSJ1ntITbJ8lN3JPQbSh7o1ZulvKhgW6jM+Y1an OTag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a14-20020a1709027d8e00b0016db1abd2ecsi2933779plm.265.2022.07.27.15.02.39; Wed, 27 Jul 2022 15:03:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232024AbiG0V7y (ORCPT + 99 others); Wed, 27 Jul 2022 17:59:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230383AbiG0V7y (ORCPT ); Wed, 27 Jul 2022 17:59:54 -0400 Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [216.12.86.13]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76A294D830 for ; Wed, 27 Jul 2022 14:59:52 -0700 (PDT) Date: Wed, 27 Jul 2022 17:59:49 -0400 From: Rich Felker To: Theodore Ts'o Cc: Florian Weimer , Yann Droneaud , "Jason A. Donenfeld" , libc-alpha@sourceware.org, Michael@phoronix.com, linux-crypto@vger.kernel.org, jann@thejh.net Subject: Re: arc4random - are you sure we want these? Message-ID: <20220727215949.GM7074@brightrain.aerifal.cx> References: <20220725153303.GF7074@brightrain.aerifal.cx> <878rohp2ll.fsf@oldenburg.str.redhat.com> <20220725174430.GI7074@brightrain.aerifal.cx> <20220725184929.GJ7074@brightrain.aerifal.cx> <87v8rid8ju.fsf@oldenburg.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE,TVD_SUBJ_NUM_OBFU_MINFP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jul 27, 2022 at 04:15:24PM -0400, Theodore Ts'o via Libc-alpha wrote: > On Wed, Jul 27, 2022 at 02:49:57PM +0200, Florian Weimer wrote: > > * Theodore Ts'o: > > > > > But even if you didn't take the latest kernels, I think you will find > > > that if you actually benchmark how many queries per second a real-life > > > secure web server or VPN gateway, even the original 5.15.0 /dev/random > > > driver was plenty fast enough for real world cryptographic use cases. > > > > The idea is to that arc4random() is suitable in pretty much all places > > that have historically used random() (outside of deterministic > > simulations). Straight calls to getrandom are much, much slower than > > random(), and it's not even the system call overhead. > > What are those places? And what are their performance and security > requirements? I've heard some people claim that arc4random() is > supposed to provide strong security guarantees. I've heard others > claim that it doesn't, or at least glibc was planning on disclaiming > security guaranteees. So there seems to be a lack of clarity about > the security requirements. The only place I've heard of a viable "soft requirement" for real entropy is for salting the hash function used in hash table maps to harden them against DoS via intentional collisions. This is a small but arguably legitimate usage domain. Most use of random() is not this, and should not be this -- the value of deterministic execution for ability to reproduce crashes, debug, etc. is real, and the value of actual entropy vs a deterministic-seeded prng is imaginary. The purpose of arc4random has always been *cryptographically secure* entropy, not "gratuitously replace random() and break reproducible behavior because the programmer does not understand the difference". Nobody should be advocating for using these functions for anything except secure secrets. Rich