From owner-freebsd-security@freebsd.org Mon Mar 13 22:06:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3B4ED0AD12; Mon, 13 Mar 2017 22:06:48 +0000 (UTC) (envelope-from steven@pyro.eu.org) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [IPv6:2001:41c8:51:40::1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FCD610BA; Mon, 13 Mar 2017 22:06:48 +0000 (UTC) (envelope-from steven@pyro.eu.org) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=03a.2017; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=0eMPGR0r07agtR+D5OYSypU16xIjs1jYN8q0pWklGlw=; b=nKvWODKGiDrGyGEvxxTaoIgXD2LU6/va5aRQmo4uTVtRZPFzag5Id6cUGPpSkPg68lRHoMRoO+MbS0sZgLIqi1L3y9Z4NZ4/uns1XY+kktxWxAuvUZ0TZy3UDT11rHFlky5Q3Wji1fKnDzzUXmMlpFYztOfGOsdpD8i5tQrSw1FijYPb6lFj22+z4VIqYz/ZvvUcBwMOSnXyLQaCM6EIqZWmmmzmdfWxfVwQ0PoTk5BodWpvT4jANKHCNjMBX5c+Nn/2MGqVZlKSjgN3Oq9WWWouQUSz14cNdysMqKUEWHieCM3ZvVGDQ1tEnFAzsdf7hiXXtTC5S2djEuhjtOPTBA==; X-Spam-Status: No, score=-0.4 required=2.0 tests=BAYES_00, DKIM_ADSP_DISCARD, RP_MATCHES_RCVD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118] helo=smtp.ok24.net) by manchester-1.man.uk.cluster.ok24.net with esmtp (Exim 4.80) (envelope-from ) id 1cnY6x-0002Aq-Hc; Mon, 13 Mar 2017 22:06:45 +0000 Received: from kfreebsd-amd64.pyro.eu.org (kfreebsd-amd64.pyro.eu.org [IPv6:2a00:14f0:e033:2000::1]) by smtp.ok24.net (Postfix) with ESMTP id 7517F35021E; Mon, 13 Mar 2017 22:06:39 +0000 (GMT) Received: by kfreebsd-amd64.pyro.eu.org (Postfix, from userid 1000) id 6B15116B6; Mon, 13 Mar 2017 22:06:39 +0000 (GMT) Date: Mon, 13 Mar 2017 22:06:39 +0000 From: Steven Chamberlain To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within) Message-ID: <20170313220639.GB65190@pyro.eu.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E13BgyNx05feLLmH" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2017 22:06:49 -0000 --E13BgyNx05feLLmH Content-Type: multipart/mixed; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline --MW5yreqqjyrRcusr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =46rom this document (TOP SECRET//SI//NOFORN): https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%= 20v1.1%20TOP%20SECRET.pdf version 1.0 said: | 8. (S//NF) [...] If RC4 is used, at least the first 1024 | bytes of the cryptostream must be discarded and may not be used and that is exactly what FreeBSD's libc and in-kernel arc4random implementations do. version 1.1 received input from another agency: | (C//SI//REL FVEY) Coordinated with NSA/CES. and a new requirement was introduced: | (TS//SI) 5.9: Added additional information about proper use of RC4. | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 | bytes of the cryptostream must be discarded and may not be used. I think you should take that to mean, the NSA has, or suspects someone else to have, a practical attack on RC4 when being used as FreeBSD does currently. The document seems 4-5 years old already as it prohibits use of RC4 at all from 2014 onward. Please consider switching to ChaCha20 in the long term (kern/182610), but right now, at least increase the amount of early keystream that is discarded. Many thanks, Regards, --=20 Steven Chamberlain steven@pyro.eu.org --MW5yreqqjyrRcusr Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="arc4random.patch" Content-Transfer-Encoding: quoted-printable diff -Nru a/head/lib/libc/gen/arc4random.c b/head/lib/libc/gen/arc4random.c --- a/head/lib/libc/gen/arc4random.c 2016-10-12 14:56:14.834409000 +0100 +++ b/head/lib/libc/gen/arc4random.c 2017-03-13 21:57:16.532833171 +0000 @@ -160,7 +160,7 @@ * Discard early keystream, as per recommendations in: * "(Not So) Random Shuffles of RC4" by Ilya Mironov. */ - for (i =3D 0; i < 1024; i++) + for (i =3D 0; i < 3072; i++) (void)arc4_getbyte(); arc4_count =3D 1600000; } diff -Nru a/head/sys/libkern/arc4random.c b/head/sys/libkern/arc4random.c --- a/head/sys/libkern/arc4random.c 2016-11-25 17:20:23.862538000 +0000 +++ b/head/sys/libkern/arc4random.c 2017-03-13 21:58:45.985402563 +0000 @@ -84,11 +84,11 @@ /* * Throw away the first N words of output, as suggested in the * paper "Weaknesses in the Key Scheduling Algorithm of RC4" - * by Fluher, Mantin, and Shamir. (N =3D 256 in our case.) + * by Fluher, Mantin, and Shamir. (N =3D 768 in our case.) * * http://dl.acm.org/citation.cfm?id=3D646557.694759 */ - for (n =3D 0; n < 256*4; n++) + for (n =3D 0; n < 768*4; n++) arc4_randbyte(arc4); =20 mtx_unlock(&arc4->mtx); --MW5yreqqjyrRcusr-- --E13BgyNx05feLLmH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCAAGBQJYxxftAAoJEIzTM2ydu2CcKWcMAIXfG+Y5afRIKbmT2f6htJVO Kj4YK+CqFYc81W05yGFb1xr9RilgDXzNrMNwrbkHn9NJERI5IO0FLtdVI+x1Iund Bokjj2ZkkdkPg72y4V3fAnrKNMFMAzScCWtYccwioWFNPL2NvOpnqQDIuEqQ5qNb xcvtkWcV9Vrh5dIdNn+9Bf21g/Dh4YJ5tKkY965Oi3Sg/1Ij4zM73Jy07j8TRIrL 8siWn195tWnvFMQo151v9VY74l9WcoNd1rgC9bceMGl2/UNAIcnm0j/W5TWTw6mq t8GvTxVQFSvYB2dL7fNNOhP6hSVSb74xC6Tic1tjZM+Okd5EzbW3/FbrcdNWoof1 ZBibe5/HF7I117ITwJ1N0qq5VWdLaAaNKkC7tUOm66lOSQvStZXQDAimnIzPJuke 65dbFDpi1Arr9eFf88uPazh26K2jIdcUGt9Cgeaat6uXFxRW0xAzX81Lo1Ci0Ymk e4S0fExy4fj+tzYcOcsy4zmqy1kzFMBRXM/wm1ToBA== =/kTf -----END PGP SIGNATURE----- --E13BgyNx05feLLmH-- From owner-freebsd-security@freebsd.org Tue Mar 14 02:04:19 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EEEDD0B5AB; Tue, 14 Mar 2017 02:04:19 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5E3219FF; Tue, 14 Mar 2017 02:04:18 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by mail-it0-x233.google.com with SMTP id g138so43349195itb.0; Mon, 13 Mar 2017 19:04:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4WXRdx3eTTak8PMogKEc5zsSfHSxMruRMQsKsDvTaoo=; b=m2hWhZYZiPdiSYMHM8eI24+wKEIUD8JWh0iu+jDv8LNEOx5lPB9FLvBR546cYnnuZ8 9OCN5VqnEQQhKgWonrrhZlFl3I9OLdNDVxjhODQqTkY3asNUwB1Ie2vWmLUIhIieIr8+ 82NmqadgqmK++LXwoG2HcJgr49RjF/CLSEnpwAuX5aeSnaiI7jfLrGvpw7Ck0kgHcbD8 eeTKj3WWj+uvYJ9rGsI3FIV4HHEotdknDlPkKU7br1Qf5xQ9cZ5RbMavVRwZCxiNihCx bDjMUYwgATgyPkaL6kf2rzRCzUQAOD8DkXTHjW6D1Pugft1XjwJRmnbzC0fDCXO8kRMT e35A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4WXRdx3eTTak8PMogKEc5zsSfHSxMruRMQsKsDvTaoo=; b=AyLjmJirGCQCkRQBwWyscKzsctYJtx9T2AyLdKqHC9MjiLmyvuc3gziZ3HEyT9w1/N wxJdZZ1wUTzOUEt0jsDQGhlcVtAThkW156/k7uf1Lp3GQTY7QptI0sFx06V9GCuz0L/Q GTAKViH8GyfTLigl9x9digp8ZXTUgPBdKek/45jUi5LOXayL/hI1ixo6Zi4+LdlMRDpv Oz0Wg2VkpUKpR0yFXZhCzZtx5MbPG7WPeK7xkWyIP16CrfB2cH1idNiX1cAFULCNef8D Ry+fXwoDx7OFIy8z9BPdLlCkFdVdhbpVcsuJA9HrWODVrVI1hvpdPI3dxbZYKAaiczHJ 6O3w== X-Gm-Message-State: AFeK/H3gPFosPbK95mHuKbpSj4xWGgaLPjVzLu/8O/xAs9cXVDUKi9lHyWmipFUNpux6Hm10hPNa+rbruzYkrQ== X-Received: by 10.36.204.136 with SMTP id x130mr13997913itf.93.1489457057474; Mon, 13 Mar 2017 19:04:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.13.142 with HTTP; Mon, 13 Mar 2017 19:03:47 -0700 (PDT) In-Reply-To: <20170313220639.GB65190@pyro.eu.org> References: <20170313220639.GB65190@pyro.eu.org> From: Dewayne Geraghty Date: Tue, 14 Mar 2017 13:03:47 +1100 Message-ID: Subject: Re: arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within) To: Steven Chamberlain Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailman-Approved-At: Tue, 14 Mar 2017 02:42:48 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2017 02:04:19 -0000 On 14 March 2017 at 09:06, Steven Chamberlain wrote: > From this document (TOP SECRET//SI//NOFORN): > https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic% > 20Requirements%20v1.1%20TOP%20SECRET.pdf > > version 1.0 said: > > | 8. (S//NF) [...] If RC4 is used, at least the first 1024 > | bytes of the cryptostream must be discarded and may not be used > > and that is exactly what FreeBSD's libc and in-kernel arc4random > implementations do. > > version 1.1 received input from another agency: > > | (C//SI//REL FVEY) Coordinated with NSA/CES. > > and a new requirement was introduced: > > | (TS//SI) 5.9: Added additional information about proper use of RC4. > > | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 > | bytes of the cryptostream must be discarded and may not be used. > > I think you should take that to mean, the NSA has, or suspects someone > else to have, a practical attack on RC4 when being used as FreeBSD does > currently. The document seems 4-5 years old already as it prohibits use > of RC4 at all from 2014 onward. > > Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded. > > Many thanks, > Regards, > -- > Steven Chamberlain > steven@pyro.eu.org > Thanks Steven. I wasn't aware that OpenBSD was 3.5+ years ahead of the curve in terms of securing against RC4 weaknesses, compared to FreeBSD. Perhaps they have access to a mole ;) The pointer to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182610 probably needs a push along. (or a local patch, which mostly applied to /usr/src/lib/libc/gen/arc4random.c ; 2 of 13 hunks need a manual adjustment) From owner-freebsd-security@freebsd.org Wed Mar 15 13:06:30 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 29A83D0C90C; Wed, 15 Mar 2017 13:06:30 +0000 (UTC) (envelope-from steven@pyro.eu.org) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [IPv6:2001:41c8:51:40::1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CA821AA2; Wed, 15 Mar 2017 13:06:29 +0000 (UTC) (envelope-from steven@pyro.eu.org) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=03a.2017; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=2VYylVX9OPcR1EjzvHUgdPRyShDuxjE+MpecT9gb4KQ=; b=KdVCo+MpL7yx9pSwUAB9GWZNMC+Dl26WIFXIokC1kM14KbYBxMvUiYfOpKlK+dLWDkKaMBJ54i4yMXhHM8brZ6nKq234R20+btoohQIIdaPaQM0GfdH1DND5JMKxSJ6th8D/zq678FTclxGVlxNMl1E4r4PkeCjecjw5N6t/9WL4F1E7ieQZX7L6idHlt77jtCoGCgufchXu/bEpr5J9TOQnuejNrRvD4aqBAT3nYAXZP4V6/gvs72PkIeqedm4LQVQrevjQbE4qi5SyuSLVdKJQGwQ4VKSn/dzp2YvA9x3objv6xA8V689eDqPG22543Gzm/hsdsCAAY3Zns4gEhg==; X-Spam-Status: No, score=-0.1 required=2.0 tests=BAYES_00, DKIM_ADSP_DISCARD, RP_MATCHES_RCVD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118] helo=smtp.ok24.net) by manchester-1.man.uk.cluster.ok24.net with esmtp (Exim 4.80) (envelope-from ) id 1co8d5-00017G-RC; Wed, 15 Mar 2017 13:06:22 +0000 Received: from kfreebsd-amd64.pyro.eu.org (kfreebsd-amd64.pyro.eu.org [IPv6:2a00:14f0:e033:2000::1]) by smtp.ok24.net (Postfix) with ESMTP id ADE113517AF; Wed, 15 Mar 2017 13:06:15 +0000 (GMT) Received: by kfreebsd-amd64.pyro.eu.org (Postfix, from userid 1000) id 964AF1CC6; Wed, 15 Mar 2017 13:06:15 +0000 (GMT) Date: Wed, 15 Mar 2017 13:06:15 +0000 From: Steven Chamberlain To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: arc4random weakness Message-ID: <20170315130615.GC25448@pyro.eu.org> References: <20170313220639.GB65190@pyro.eu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="R3G7APHDIzY6R/pk" Content-Disposition: inline In-Reply-To: <20170313220639.GB65190@pyro.eu.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2017 13:06:30 -0000 --R3G7APHDIzY6R/pk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven Chamberlain wrote: > Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded. Many, many thanks delphij+so for applying the latter change so quickly! Also it is great to see INHERIT_ZERO was added to mmap(2)! (It will avoid the overhead of a getpid(2) syscall on every call to arc4random_buf(3) to determine if reseeding is needed. That wasn't guaranteed reliable anyway; if you have forked twice, then by chance/manipulation the new pid *could* be the same as the ancestor's). Thanks! Regards, --=20 Steven Chamberlain steven@pyro.eu.org --R3G7APHDIzY6R/pk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCAAGBQJYyTxGAAoJEIzTM2ydu2Cc5V4MAIwiFty64DmrCkXJPyxYQ/LI M+yRfr94k7llkoi/asd/jCf1Argub3pAV5GY/D19DPVcGxw7QbwBfZyDrL6N7j2E PQaSu820zNVHjKqbzASFgquDeG8xGlg8DWliaZ2hnE7ebnlk4z0bjpsOgz6616uZ HOskQCheHOvpG3PmUolZguh1MngwuhGh38DcX4ewNU4JTus6VYR14CquQiuzts6y JpWB9XbouoZoKn4IwGKYaIAyk5/FfQ+HXya+seUWgXxNlvqsh3428Wh5vnSpvpTZ bKAkgOGzR7w1lU0QYm/yj6S+5CTA5K1/ap6QykhQS5Nu+KBKZECsaMHzypEqsiGG cyNmqOTS8aIGEonP4J/uMnis+2JJiUe6BLURbz7zk5e07Pln5yaxw3KOlnVVD+6D 9lbPzFkkeFuc6qiAYMe+gPeZKvHlZwtf9Ej1Di2LtvPDEYO6MXOIHvwtBCvDRMkB 24WkCt8htqxLp569bNkrB5WeU/Xk2gTwKxXXOX4uog== =KsfP -----END PGP SIGNATURE----- --R3G7APHDIzY6R/pk-- From owner-freebsd-security@freebsd.org Wed Mar 15 20:21:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F62BD0EA17 for ; Wed, 15 Mar 2017 20:21:36 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f67.google.com (mail-lf0-f67.google.com [209.85.215.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B9C819E5 for ; Wed, 15 Mar 2017 20:21:35 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f67.google.com with SMTP id r36so1985956lfi.0 for ; Wed, 15 Mar 2017 13:21:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=VJIy1Qdz1Pt2nG6MUjLkVrPRFkcy2yK47lBs53Vadtg=; b=nVvHUGfACr1dVQsdDQdG6nW8tHSc4jrJrZhtxyImK7iGEV3j2qqqsro9IpynOsu1Kx AN7TnEtWKszuTE18BEwoxyYrauyrQapbvfrgr0GWwk6afCkh/GTt1xUqqx7jKoZnVVTQ oybcaDVv+cn2faJsf7f/efG+gvzewuBT8nwyTsgyvSrZghByJtATsiVW2oXRFquP8Rzp PicP9OsVlW5+mASaxBrPdPt9fjAjyGLa1EEbbVJhOzEJuOY2q5ZJ8YfGeqGAUte3GY9z nWBdvY/f9MG2eVSk9PMEDyDXy+VpSnQfqU5V4w8YeWthIMT5IWe+b5l0YpeAvO4RLni7 Trqg== X-Gm-Message-State: AFeK/H2xtY6xaUKe6i6h0UcQghqBHkUlPSeQzyFqXi/INKnjZ9m7dJBUvoqVmlL+QxD3OQ== X-Received: by 10.25.35.9 with SMTP id j9mr1551385lfj.62.1489608817817; Wed, 15 Mar 2017 13:13:37 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id l78sm498085lfl.59.2017.03.15.13.13.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Mar 2017 13:13:37 -0700 (PDT) Subject: Re: arc4random weakness To: Steven Chamberlain , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> From: Andrey Chernov Message-ID: <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> Date: Wed, 15 Mar 2017 23:13:26 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170315130615.GC25448@pyro.eu.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IW8vRQi5Oug3kvNAmDSvknaK7slsa26E3" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2017 20:21:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IW8vRQi5Oug3kvNAmDSvknaK7slsa26E3 Content-Type: multipart/mixed; boundary="vgsQt28TqTXLWtKeuESqb2p3dEqopMkgU"; protected-headers="v1" From: Andrey Chernov To: Steven Chamberlain , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Message-ID: <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> Subject: Re: arc4random weakness References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> In-Reply-To: <20170315130615.GC25448@pyro.eu.org> --vgsQt28TqTXLWtKeuESqb2p3dEqopMkgU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 15.03.2017 16:06, Steven Chamberlain wrote: > Also it is great to see INHERIT_ZERO was added to mmap(2)! It is not so great. For a program which forks very often zeroing even one page will be slowdown. It will be better and faster to implement it as fork syscall wrapper setting single variable, as it already done for threaded lib. --vgsQt28TqTXLWtKeuESqb2p3dEqopMkgU-- --IW8vRQi5Oug3kvNAmDSvknaK7slsa26E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYyaBpAAoJEKUckv0MjfbK4MMH/j2D3lV/qC4y/7Z/zHkVCOkY t9MQLZ/9sMuWYzKyKAiIsv6FqdEHnWyYxA52aoCh9DptMMaOb+tzd6I0OnNY5FOY bxU+E6olYhaDu4Hj3+uxLvvOMYF0fim+LWJboqE18/zyG4/GbVOuTU3E2v7sTPZZ o6IrEKL/yqkuOkGznh662T6OiVDzS3SHjL7ewtgfNLhLhh8yA7zRQ0scQD7TjMEe tzt059vvL6rDxcvQsMWPgUjMUzfPqsElsbjUQkXVo+wQCi7ozS6jgOTkdXaZZ59+ 8+bJPKOj8WTL096A2HsnKggSYUSTlI6sfqvo2jhwt54KTBUMBgHupjj685txbEs= =MjFb -----END PGP SIGNATURE----- --IW8vRQi5Oug3kvNAmDSvknaK7slsa26E3-- From owner-freebsd-security@freebsd.org Thu Mar 16 12:57:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD3FBD0C0D2; Thu, 16 Mar 2017 12:57:15 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 76844130F; Thu, 16 Mar 2017 12:57:15 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 57B868F84; Thu, 16 Mar 2017 12:48:48 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 6F3DD40CA; Thu, 16 Mar 2017 13:48:45 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Andrey Chernov Cc: Steven Chamberlain , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: arc4random weakness References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> Date: Thu, 16 Mar 2017 13:48:45 +0100 In-Reply-To: <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> (Andrey Chernov's message of "Wed, 15 Mar 2017 23:13:26 +0300") Message-ID: <86k27pz8sy.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2017 12:57:15 -0000 Andrey Chernov writes: > Steven Chamberlain writes: > > Also it is great to see INHERIT_ZERO was added to mmap(2)! > It is not so great. For a program which forks very often zeroing even > one page will be slowdown. Wouldn't it be possible to just set up the page entry but leave it unmapped, so that it is paged in (and zeroed if necessary) on first access? Thus, a process that uses arc4random() and fork()s would not incur a penalty until (and unless) the child uses arc4random() too. > It will be better and faster to implement it as fork syscall wrapper > setting single variable, as it already done for threaded lib. fork() and vfork() and pdfork() and... From a security point of view, I prefer to have it in a single place. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Mar 16 13:19:54 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A905BD0CED0; Thu, 16 Mar 2017 13:19:54 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BC331781; Thu, 16 Mar 2017 13:19:53 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id v2GDJkXC060372 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 16 Mar 2017 15:19:46 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua v2GDJkXC060372 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id v2GDJktA060371; Thu, 16 Mar 2017 15:19:46 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 16 Mar 2017 15:19:46 +0200 From: Konstantin Belousov To: Dag-Erling Sm??rgrav Cc: Andrey Chernov , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, Steven Chamberlain Subject: Re: arc4random weakness Message-ID: <20170316131946.GN16105@kib.kiev.ua> References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> <86k27pz8sy.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86k27pz8sy.fsf@desk.des.no> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2017 13:19:54 -0000 On Thu, Mar 16, 2017 at 01:48:45PM +0100, Dag-Erling Sm??rgrav wrote: > Andrey Chernov writes: > > Steven Chamberlain writes: > > > Also it is great to see INHERIT_ZERO was added to mmap(2)! > > It is not so great. For a program which forks very often zeroing even > > one page will be slowdown. > > Wouldn't it be possible to just set up the page entry but leave it > unmapped, so that it is paged in (and zeroed if necessary) on first > access? Thus, a process that uses arc4random() and fork()s would not > incur a penalty until (and unless) the child uses arc4random() too. This is how the forking code works, without any additional coding, for the INHERIT_ZERO regions as well. > > > It will be better and faster to implement it as fork syscall wrapper > > setting single variable, as it already done for threaded lib. > > fork() and vfork() and pdfork() and... From a security point of view, I > prefer to have it in a single place. > > DES > -- > Dag-Erling Sm??rgrav - des@des.no > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu Mar 16 17:24:50 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCEADD0F1B6; Thu, 16 Mar 2017 17:24:50 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BE041D00; Thu, 16 Mar 2017 17:24:50 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-ot0-x233.google.com with SMTP id x37so63790431ota.2; Thu, 16 Mar 2017 10:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ngkX5mYfoinHeE4jRP3pwrbhM2Kbi0cDcWPXKHpTAaQ=; b=NNyKyzO3yK2dadkEX+e1p5oTk69yfAAX++mHhx70OPCZlYJZRNnVuzizb4IEnBhPii PRuefvhXPyX6eEL5+OM4nXC/qWxH/LBTgYGssBMETod7r7DU1OzSmqGXQFmqWRrf6MVO KPBc5tBXTN5SD9VZX0dk4fNg6MJ0tlQf+BJEmeWYavn8P1k9cfdKrGptQ3mioksA7CTb kzQ5J2rxJC+ZqSwEn++EnZFLJYpLLMYvRfKyJXM92gGj5rUcQ0mkqXqvjrz1hz/FQ7Cf a3m5HMJX2ELN1+mKO3pB+gIUUCEcWGc4ojViOhQNryOt2JNd98VCO90YrzjmEzab1Lbo M50g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ngkX5mYfoinHeE4jRP3pwrbhM2Kbi0cDcWPXKHpTAaQ=; b=LIHHrwJVuzsm0tjMtxNtRYL7jy8IfBK+avaIhaF/kgwevCy6jTvBDowMh3yHRPc41L dgjt42Dqw3zimDZTI/AJctB0hP0F9pWsgjPuaftQPKncBGkLkQrnFbsCCBOB0Ft7wKW3 0YUtMSZe+CPrxElaY2kwHU6/a7vgq9GJAqxoxwPwCM/ON2mVtg0YQGH7DB5g6oWE9k2Z SzZSdiwshLqTf9bUiQUbML+tjh/fgB/b5d1M1v8rE1eMFyo0ohffaB91PJSucd7dAS2y ffATTZVxYTxu2WN8oWKYPgIOf94rn4Pno3251NgtqkgGogA2Y29eGK8zpYs4V5WM2OLU TR7Q== X-Gm-Message-State: AFeK/H27qy1Tsnkd3Q69PoDP6NpGBM6jHqTVG4dH3wXZhKGolGtPjCmTufNZ0gI9EmJuT7RfcNjtnjj659wwMw== X-Received: by 10.157.30.198 with SMTP id n64mr4787380otn.133.1489685089589; Thu, 16 Mar 2017 10:24:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.48.198 with HTTP; Thu, 16 Mar 2017 10:24:48 -0700 (PDT) In-Reply-To: <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> From: Xin LI Date: Thu, 16 Mar 2017 10:24:48 -0700 Message-ID: Subject: Re: arc4random weakness To: Andrey Chernov Cc: Steven Chamberlain , "freebsd-security@freebsd.org" , freebsd Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2017 17:24:50 -0000 On Wed, Mar 15, 2017 at 1:13 PM, Andrey Chernov wrote: > On 15.03.2017 16:06, Steven Chamberlain wrote: >> Also it is great to see INHERIT_ZERO was added to mmap(2)! > > It is not so great. For a program which forks very often zeroing even > one page will be slowdown. It will be better and faster to implement it > as fork syscall wrapper setting single variable, as it already done for > threaded lib. I think it's exactly what it was done (and unlike a fork wrapper, the zeroing only happens on-demand, i.e. when the page is first touched). Cheers, From owner-freebsd-security@freebsd.org Thu Mar 16 19:26:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3C2AD0FD57 for ; Thu, 16 Mar 2017 19:26:20 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f67.google.com (mail-lf0-f67.google.com [209.85.215.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 652A512E3 for ; Thu, 16 Mar 2017 19:26:19 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f67.google.com with SMTP id y193so4070901lfd.1 for ; Thu, 16 Mar 2017 12:26:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=GlrQJNbPdzdNm/lQHuJg8aBmGprZbm+LeyFtzV3SPkk=; b=MPhD7xSxxxDrdy/yfxhx+X5tVHg+2xbJ3k9mVEgJtiG825bCBC/TvvDqc2AFKeAK2T JduDf1RfqhzJ6kgqWmgp7WXxicBk02qy43a2n4XT/7bsiL+99xQkt9A9/VlQUm2xrX6y SKLB5w4gM6YXegQpN5JbeQ3Vo43upGCbWCE4l1sFRUwzGop9oWPdJzTPuvwPkxDcVeP9 B1mUb9mDqq6ppUjvk1utGYVdU0WqXR84agusSdKYfzWnJ/D9hOXrtuPMUvTCs0CvG2ZN h4s9JmDm+FyI3hxb5smWnWzrGahjiEMIdac69OftfRGcHzZ9xbDviaWTGN/c+PG45CXJ BTpQ== X-Gm-Message-State: AFeK/H2R+BRT9I3YNzQdPQMa3evgzgpAYJhkm5KifumA0cmk/qZQosS6ra6ayMDJrDfS4A== X-Received: by 10.46.80.93 with SMTP id v29mr3137577ljd.94.1489692377938; Thu, 16 Mar 2017 12:26:17 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id s7sm1062664lja.50.2017.03.16.12.26.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Mar 2017 12:26:17 -0700 (PDT) Subject: Re: arc4random weakness To: Xin LI References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> Cc: Steven Chamberlain , des@des.no, kostikbel@gmail.com, "freebsd-security@freebsd.org" , freebsd From: Andrey Chernov Message-ID: <8677f9d8-b326-2526-47ce-f2e18421c074@freebsd.org> Date: Thu, 16 Mar 2017 22:26:09 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2017 19:26:20 -0000 On 16.03.2017 20:24, Xin LI wrote: > On Wed, Mar 15, 2017 at 1:13 PM, Andrey Chernov wrote: >> On 15.03.2017 16:06, Steven Chamberlain wrote: >>> Also it is great to see INHERIT_ZERO was added to mmap(2)! >> >> It is not so great. For a program which forks very often zeroing even >> one page will be slowdown. It will be better and faster to implement it >> as fork syscall wrapper setting single variable, as it already done for >> threaded lib. > > I think it's exactly what it was done (and unlike a fork wrapper, the > zeroing only happens on-demand, i.e. when the page is first touched). Theo kindly explained that zeroing whole page instead of single variable suits to his newest arc4random better, since clears two structs at once (including ChaCha state), making some form of backward secrecy.