From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) by sourceware.org (Postfix) with ESMTPS id CD6F63858C54 for ; Thu, 14 Apr 2022 18:43:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org CD6F63858C54 Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-2ec04a2ebadso64345017b3.12 for ; Thu, 14 Apr 2022 11:43:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1e9q5HY6zO07pyB/mu0gidz0AG38OabvyxN4cJAlXVw=; b=pfgjmiJeNlHkHGHnM4zM8/iPSCsTAuhAefaW08uS10EZZvsPv20kmMMy/Fls/Brjoz gEz5uHZemA4vsYRAQj+2NJhZru5X9ZvWfGLBTjvrQRUtxgQogMftXwh3V1T1+XcjYi8p UQTtUsfp8CHAvHB9t56CnM6o/uhwvFBQWD26PbLI4784CjiN9gWb/3KxM0wiRfSR2fAG UVWYY99Bt8HIf19mL3G/U0CNFjbrqceAoT+AD0krlSH3bmjJbQky/wo42621OlLibMBo +qHJ4gvdAv2ynRsGXZC111nfiW0opIDR4GTDasFPtXmb7PVaKoBEMACaqaRWGsi7Od2B T4Yg== X-Gm-Message-State: AOAM531jEleWkjOskwJasnmPcWSAOGLCaBRqZNan9S7OQtrDuqY5v8s7 12HmqqfYhpcEyWvaLvbGYkhvURuz030acZlc16GCOVZl X-Google-Smtp-Source: ABdhPJyahu+Alf+UbcpX8mmzJ/dLPC2IKRzHU9ECesg3ULPGqlZosAV42tnH6s2/MrTshrzDTj03tNNAL6l0Tm+PifY= X-Received: by 2002:a81:1cc6:0:b0:2d5:427c:a23e with SMTP id c189-20020a811cc6000000b002d5427ca23emr2968534ywc.496.1649961839307; Thu, 14 Apr 2022 11:43:59 -0700 (PDT) MIME-Version: 1.0 References: <20220413202401.408267-1-adhemerval.zanella@linaro.org> <7a992928-7a8f-1f62-3153-15e8748bda59@opteya.com> <312fd8c0-e739-f397-5808-5109385a4505@linaro.org> In-Reply-To: <312fd8c0-e739-f397-5808-5109385a4505@linaro.org> From: Noah Goldstein Date: Thu, 14 Apr 2022 13:43:48 -0500 Message-ID: Subject: Re: [PATCH 0/7] Add arc4random support To: Adhemerval Zanella Cc: Yann Droneaud , GNU C Library Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2022 18:44:02 -0000 On Thu, Apr 14, 2022 at 1:39 PM Adhemerval Zanella via Libc-alpha wrote: > > > > On 14/04/2022 04:36, Yann Droneaud wrote: > > Hi, > > > > Le 13/04/2022 =C3=A0 22:23, Adhemerval Zanella via Libc-alpha a =C3=A9c= rit : > > > >> This patch adds the arc4random, arc4random_buf, and arc4random_uniform > >> along with optimized versions for x86_64, aarch64, and powerpc64. > >> > >> The generic implementation is based on scalar Chacha20, with a global > >> cache and locking. It uses getrandom or /dev/urandom as fallback to > >> get the initial entropy, and reseeds the internal state on every 16MB > >> of consumed entropy. > >> > >> It maintains an internal buffer which consumes at maximum one page on > >> most systems (assuming 4k pages). The internal buffer optimizes the > >> cipher encrypt calls, by amortize arc4random calls (where both > >> function call and locks cost are the dominating factor). > >> > >> Fork detection is done by checking if MADV_WIPEONFORK supported. If n= ot > >> the fork callback will reset the state on the fork call. It does not > >> handle direct clone calls, nor vfork or _Fork (arc4random is not > >> async-signal-safe due the internal lock usage, althought the > >> implementation does try to handle fork cases). > >> > >> The generic ChaCha20 implementation is based on the RFC8439 [1], which > >> a simple memcpy with xor implementation. > > > > The xor (with 0) is a waste of CPU cycles as the ChaCha20 keystream is = the PRNG output. > > I don't have a strong feeling about, although it seems that any other > ChaCha20 implementation I have checked does it (libgcrypt, Linux, > BSD). The BSD also does it for arc4random, although most if not > all come from OpenBSD and they are usually paranoid with security > hardening. > > I am no security expert, so I will keep it as is for generic interface > (also the arch optimization also does it, so I think it might be a > good idea to keep the implementation with similar semantic). Does the arc4random usecase require the xor zeroing though? Think it would be a mistake to gurantee it as it seems like a pretty reasonable thing to want to optimize out if we need better performance.