From owner-freebsd-hackers@freebsd.org  Wed Dec  9 19:17:06 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 06DFD4ACCF5
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Wed,  9 Dec 2020 19:17:06 +0000 (UTC)
 (envelope-from rwmaillists@googlemail.com)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com
 [IPv6:2a00:1450:4864:20::429])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Crmy83GX6z3m14
 for <freebsd-hackers@freebsd.org>; Wed,  9 Dec 2020 19:17:04 +0000 (UTC)
 (envelope-from rwmaillists@googlemail.com)
Received: by mail-wr1-x429.google.com with SMTP id r3so2974964wrt.2
 for <freebsd-hackers@freebsd.org>; Wed, 09 Dec 2020 11:17:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=Aynq9WHGdUZ2kpOR0yJfb9pHL4QhS/N95RmEKeb1oxU=;
 b=JfWSRXIoKvZZi9qXQGyD4FRSJ+Y42wBvas9EM/DY52GMFK3OyHCABHW4/T6UrA4itm
 aYJvwHppQPVan56XUXkXzBPlwltkxLmksnwWwAX9Ijb+iGdEJBmPKZW/kW4LhGH6Ygnk
 tcPw3JBCexFPU+E87nZxFQgS0C4J69qSxwt8NCyHXFaYqH4xIKWqrej6PV1oz70UE1wN
 eJDJ6tAk4eYd3xoCKddkJkMNTFuxdetCfxp23tkJN6EoPjLG5WEQbXSUK5e7c6/gZOZC
 A53coUJvhdE2ho9ZFwz1EzLmg8M00krlPNW2aV8GoYjGa8K8Ch6yrzFlK2KNZ9VsAB/x
 HnLQ==
X-Gm-Message-State: AOAM532UgqbVe48jUq7js43NDo/rKbj0lFgMnkp/HiJlWzOJou8s9MfT
 iWrPXqbN8q6cipW+LsxSNCmYGE592XYC3g==
X-Google-Smtp-Source: ABdhPJy857A+P/C2bn9oS/1kl6ex4fwiDda8XLFN7sAvrA0SnO2dbZNyV7dI0z3yuh9XroMYB2KLtQ==
X-Received: by 2002:a5d:69c2:: with SMTP id s2mr3681411wrw.36.1607541422376;
 Wed, 09 Dec 2020 11:17:02 -0800 (PST)
Received: from gumby.homeunix.com ([2.223.82.219])
 by smtp.gmail.com with ESMTPSA id q4sm4940378wmc.2.2020.12.09.11.17.01
 for <freebsd-hackers@freebsd.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 09 Dec 2020 11:17:01 -0800 (PST)
Date: Wed, 9 Dec 2020 19:16:58 +0000
From: RW <rwmaillists@googlemail.com>
To: freebsd-hackers@freebsd.org
Subject: Re: arc4random initialization
Message-ID: <20201209191658.42063a95@gumby.homeunix.com>
In-Reply-To: <CAG6CVpVUPzaGK-CdqdvGEmytmkAH+QTrX0BRho-HPUts60HZpQ@mail.gmail.com>
References: <20201206153625.13e349a8@bigus.dream-tech.com>
 <EB47F35A-EAD8-4B97-B676-FD8C5AD57398@FreeBSD.org>
 <CAG6CVpVUPzaGK-CdqdvGEmytmkAH+QTrX0BRho-HPUts60HZpQ@mail.gmail.com>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; amd64-portbld-freebsd12.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4Crmy83GX6z3m14
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.45 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 FREEMAIL_FROM(0.00)[googlemail.com];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
 TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3];
 DKIM_TRACE(0.00)[googlemail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[googlemail.com,quarantine];
 NEURAL_HAM_SHORT(-0.45)[-0.448];
 RECEIVED_SPAMHAUS_PBL(0.00)[2.223.82.219:received];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[googlemail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::429:from];
 DWL_DNSWL_NONE(0.00)[googlemail.com:dkim]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::429:from:127.0.2.255];
 RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::429:from];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-hackers]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 19:17:06 -0000

On Mon, 7 Dec 2020 18:52:03 -0800
Conrad Meyer wrote:


> > The risk would be that kernel arc4random is initialized early and
> > insecurely and there's no appropriate read_random() call to reseed
> > it before something critical uses it.  
> 
> arc4random(9) is integrated with random(4), so that arc4random is
> immediately reseeded when the random device is seeded.  

But that that can only happen when something reads from random(4).
Fortuna doesn't spontaneously seed itself. 

However, I'd forgotten that modern userland arc4random seeds through
getrandom(2) which substantially mitigates the problem by creating more
reads from random(4) and reducing the importance of kernel arc4random.

It is theoretically possible for kernel arc4random to be used unseeded
for up to 5 minutes. It would probably need to be an atypical setup
though, maybe embedded.  But it sounds like better use of hardware
generators in current would mostly solve this. 

> However, the concern still applies to userspace arc4random(3), which
> is not integrated with core random(4) reseeds.

It looks to be integrated to the extent that it initializes though a
blocking call to getrandom, which is by far the most important thing.
Reseeding afterwards is mostly shutting the stable door after the
horse has bolted.