From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x2a.google.com (mail-oa1-x2a.google.com [IPv6:2001:4860:4864:20::2a]) by sourceware.org (Postfix) with ESMTPS id C74F93858C53 for ; Thu, 14 Apr 2022 18:39:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C74F93858C53 Received: by mail-oa1-x2a.google.com with SMTP id 586e51a60fabf-ddfa38f1c1so6104884fac.11 for ; Thu, 14 Apr 2022 11:39:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=1eJlMryK9IV4MgNqyikp4cZrKcMFFVsQvoIm7RtrtU4=; b=U8qZ0jrWSvNbsPh10VXRFJ3JekwvSx/TZA6RHPebadKC5x9E0U66D8EnWGEM3JgsXb SfIRs2sLpHIktbQHN72QQtBfeV7aAswwrAUYEXbQa6EfEjAKUNBDqeAowfR+EMl8qhlb PImpi83Txi19mWpefmaUpYqQXbO98IrGa6QolRwQ+mHjHHixY37v6VJIJOU42BHPxBHR gMBjY8MoGWfvLD+b+/nV96gIrB9Z3pZn6vxODw3cNB31rywovo2N6yYHmH/Fv0eI2Pzd M/jW23nuxTkS4dwY0n0duqq02s0iQF7Y5cES7dn+zuiXlutjvENLojjzXeXdjDD4x0Ry K2dQ== X-Gm-Message-State: AOAM5327vAbJ6wA1UYYx1jtnt/CPKppfnVpyIhu8jL102spowcttFJWI a6VFzjF3vuJ9QSuyRqk1DPFt/QgJoz0BOQ== X-Google-Smtp-Source: ABdhPJzBExL/udGQYX5HZDQO9NUwR5Eyiu1cIH6sJq7tvD1oSZ0PZAtIbgNUr5ftRSDESTlED4aUXg== X-Received: by 2002:a05:6870:a9a0:b0:e2:862:161e with SMTP id ep32-20020a056870a9a000b000e20862161emr2119825oab.61.1649961549028; Thu, 14 Apr 2022 11:39:09 -0700 (PDT) Received: from ?IPV6:2804:431:c7ca:431f:3dc9:7133:8dac:5273? ([2804:431:c7ca:431f:3dc9:7133:8dac:5273]) by smtp.gmail.com with ESMTPSA id ed22-20020a056870b79600b000da32eab691sm930237oab.23.2022.04.14.11.39.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Apr 2022 11:39:08 -0700 (PDT) Message-ID: <312fd8c0-e739-f397-5808-5109385a4505@linaro.org> Date: Thu, 14 Apr 2022 15:39:06 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH 0/7] Add arc4random support Content-Language: en-US To: Yann Droneaud , GNU C Library References: <20220413202401.408267-1-adhemerval.zanella@linaro.org> <7a992928-7a8f-1f62-3153-15e8748bda59@opteya.com> From: Adhemerval Zanella In-Reply-To: <7a992928-7a8f-1f62-3153-15e8748bda59@opteya.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2022 18:39:12 -0000 On 14/04/2022 04:36, Yann Droneaud wrote: > Hi, > > Le 13/04/2022 à 22:23, Adhemerval Zanella via Libc-alpha a écrit : > >> This patch adds the arc4random, arc4random_buf, and arc4random_uniform >> along with optimized versions for x86_64, aarch64, and powerpc64. >> >> The generic implementation is based on scalar Chacha20, with a global >> cache and locking.  It uses getrandom or /dev/urandom as fallback to >> get the initial entropy, and reseeds the internal state on every 16MB >> of consumed entropy. >> >> It maintains an internal buffer which consumes at maximum one page on >> most systems (assuming 4k pages).  The internal buffer optimizes the >> cipher encrypt calls, by amortize arc4random calls (where both >> function call and locks cost are the dominating factor). >> >> Fork detection is done by checking if MADV_WIPEONFORK supported.  If not >> the fork callback will reset the state on the fork call.  It does not >> handle direct clone calls, nor vfork or _Fork (arc4random is not >> async-signal-safe due the internal lock usage, althought the >> implementation does try to handle fork cases). >> >> The generic ChaCha20 implementation is based on the RFC8439 [1], which >> a simple memcpy with xor implementation. > > The xor (with 0) is a waste of CPU cycles as the ChaCha20 keystream is the PRNG output. I don't have a strong feeling about, although it seems that any other ChaCha20 implementation I have checked does it (libgcrypt, Linux, BSD). The BSD also does it for arc4random, although most if not all come from OpenBSD and they are usually paranoid with security hardening. I am no security expert, so I will keep it as is for generic interface (also the arch optimization also does it, so I think it might be a good idea to keep the implementation with similar semantic).