From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp4-g21.free.fr (smtp4-g21.free.fr [212.27.42.4]) by sourceware.org (Postfix) with ESMTPS id 92DA9385B23A for ; Fri, 15 Apr 2022 10:22:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 92DA9385B23A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=opteya.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=opteya.com Received: from [IPV6:2a01:e35:39f2:1220:eb70:96c1:3af5:d2c7] (unknown [IPv6:2a01:e35:39f2:1220:eb70:96c1:3af5:d2c7]) by smtp4-g21.free.fr (Postfix) with ESMTPS id 97A9919F58A; Fri, 15 Apr 2022 12:22:43 +0200 (CEST) Message-ID: Date: Fri, 15 Apr 2022 12:22:43 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH 0/7] Add arc4random support Content-Language: fr-FR To: Adhemerval Zanella , GNU C Library References: <20220413202401.408267-1-adhemerval.zanella@linaro.org> <7a992928-7a8f-1f62-3153-15e8748bda59@opteya.com> <312fd8c0-e739-f397-5808-5109385a4505@linaro.org> From: Yann Droneaud Organization: OPTEYA In-Reply-To: <312fd8c0-e739-f397-5808-5109385a4505@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2022 10:22:48 -0000 Hi, Le 14/04/2022 à 20:39, Adhemerval Zanella a écrit : > On 14/04/2022 04:36, Yann Droneaud wrote: > > Le 13/04/2022 à 22:23, Adhemerval Zanella via Libc-alpha a écrit : > >>> This patch adds the arc4random, arc4random_buf, and arc4random_uniform >>> along with optimized versions for x86_64, aarch64, and powerpc64. >>> >>> The generic implementation is based on scalar Chacha20, with a global >>> cache and locking.  It uses getrandom or /dev/urandom as fallback to >>> get the initial entropy, and reseeds the internal state on every 16MB >>> of consumed entropy. >>> >>> It maintains an internal buffer which consumes at maximum one page on >>> most systems (assuming 4k pages).  The internal buffer optimizes the >>> cipher encrypt calls, by amortize arc4random calls (where both >>> function call and locks cost are the dominating factor). >>> >>> Fork detection is done by checking if MADV_WIPEONFORK supported.  If not >>> the fork callback will reset the state on the fork call.  It does not >>> handle direct clone calls, nor vfork or _Fork (arc4random is not >>> async-signal-safe due the internal lock usage, althought the >>> implementation does try to handle fork cases). >>> >>> The generic ChaCha20 implementation is based on the RFC8439 [1], which >>> a simple memcpy with xor implementation. >> The xor (with 0) is a waste of CPU cycles as the ChaCha20 keystream is the PRNG output. > I don't have a strong feeling about, although it seems that any other > ChaCha20 implementation I have checked does it (libgcrypt, Linux, > BSD). The BSD also does it for arc4random, although most if not > all come from OpenBSD and they are usually paranoid with security > hardening. Check #define KEYSTREAM_ONLY https://github.com/openbsd/src/blob/master/lib/libc/crypt/arc4random.c#L36 https://github.com/openbsd/src/blob/master/lib/libc/crypt/chacha_private.h#L166 Regards. -- Yann Droneaud OPTEYA