From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) by sourceware.org (Postfix) with ESMTPS id 217A338768B7 for ; Mon, 25 Jul 2022 16:49:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 217A338768B7 Received: by mail-oi1-x234.google.com with SMTP id j70so14169217oih.10 for ; Mon, 25 Jul 2022 09:49:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:organization:in-reply-to :content-transfer-encoding; bh=vNgbBAAKpVYhDWlmki9OwZ/3IXrG6JxJ3yFwtq5HMig=; b=QnuomiScXCOq8/+JUgZW71Ewsxkn8xP6hv3SR37JgQe1WKlHHBNyEOSoJLti3DTftX S14gAISg9bsZZVyyiBJFF9HpjgPQJR2KGPluNB/IUAvyGDfadYgT80yBOEddrjDbHvPU 61fDSEsW+/U0uWQ+CqVfl9/4bRytvbVie00s+/+gF7kUOJyYaWo4XYBFGNOlFbyo2gE/ hz38ZhYNJvvOEN2Sv5A5S7+HCZpFTTzg5Pyu8QzXZJzty31n4Ugr4sV2+4MtyC7KAX6B sTOTnIRFaqPAZAKbu8Qpr4jnJ782M5mTby5U3B/V90gq9pmfbdWIQdd3WF9/VbBGjBdE IWow== X-Gm-Message-State: AJIora/kouO5+59SgVl+2dU97hRPXTsuhaFakLforxSmTBONThQvXv3Y GCoNyYtzIpGqBotXl8SGgdTBlcKAJDedHw== X-Google-Smtp-Source: AGRyM1tuF8pywYqWFq99Do4roO5Oy11ViXwT20ZZctcr+2g0EQ1AqcE9cwHktAXxch5MoQQQBiIz+Q== X-Received: by 2002:a05:6808:1201:b0:325:75e1:25a8 with SMTP id a1-20020a056808120100b0032575e125a8mr12762955oil.18.1658767791389; Mon, 25 Jul 2022 09:49:51 -0700 (PDT) Received: from ?IPV6:2804:431:c7cb:8ded:894b:344:2c82:9bb5? ([2804:431:c7cb:8ded:894b:344:2c82:9bb5]) by smtp.gmail.com with ESMTPSA id t16-20020a4ad0b0000000b0043577be222bsm4944415oor.22.2022.07.25.09.49.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jul 2022 09:49:51 -0700 (PDT) Message-ID: Date: Mon, 25 Jul 2022 13:49:47 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.0.3 Subject: Re: arc4random - are you sure we want these? Content-Language: en-US To: Florian Weimer , Rich Felker Cc: "Jason A. Donenfeld" , libc-alpha@sourceware.org, Yann Droneaud , jann@thejh.net, Michael@phoronix.com, Paul Eggert References: <6bf352e9-1312-40de-4733-3219721b343c@linaro.org> <20220725153303.GF7074@brightrain.aerifal.cx> <878rohp2ll.fsf@oldenburg.str.redhat.com> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <878rohp2ll.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2022 16:49:54 -0000 On 25/07/22 13:40, Florian Weimer wrote: > * Rich Felker: > >> On Sat, Jul 23, 2022 at 02:39:29PM -0300, Adhemerval Zanella Netto via Libc-alpha wrote: >>> On 23/07/22 13:25, Jason A. Donenfeld wrote: >>>> Firstly, for what use cases does this actually help? As of recent >>>> changes to the Linux kernels -- now backported all the way to 4.9! -- >>>> getrandom() and /dev/urandom are extremely fast and operate over per-cpu >>>> states locklessly. Sure you avoid a syscall by doing that in userspace, >>>> but does it really matter? Who exactly benefits from this? >>> >>> Mainly performance, since glibc both export getrandom and getentropy. >>> There were some discussion on maillist and we also decided to explicit >>> state this is not a CSRNG on our documentation. >> >> This is an extreme documentation/specification bug that *hurts* >> portability and security. The core contract of the historical >> arc4random function is that it *is* a CSPRNG. Having a function by >> that name that's allowed not to be one means now all software using it >> has to add detection for the broken glibc variant. >> >> If the glibc implementation has flaws that actually make it not a >> CSPRNG, this absolutely needs to be fixed. Not doing so is >> irresponsible and will set everyone back a long ways. > > The core issue is that on some kernels/architectures, reading from > /dev/urandom can degrade to GRND_INSECURE (approximately), and while the > result is likely still unpredictable, not everyone would label that as a > CSPRNG. > > If we document arc4random as a CSPRNG, this means that we would have to > ditch the fallback code and abort the process if the getrandom system > call is not available: when reading from /dev/urandom as a fallback, we > have no way of knowing if we are in any of the impacted execution > environments. Based on your other comments, it seems that you are > interested in such fallbacks, too, but I don't think you can actually > have both (CSPRNG + fallback). It seems the best course of actions, specially form the fact that document arc4random as a CSPRNG seems to a deal-breaker. > > And then there is the certification issue. We really want applications > that already use OpenSSL for other cryptography to use RAND_bytes > instead of arc4random. Likewise for GNUTLS and gnutls_rnd. What should > authors of those cryptographic libraries? That's less clear, and really > depends on the constraints they operate in (e.g., they may target only a > subset of architectures and kernel versions). > > Thanks, > Florian >