From owner-freebsd-hackers@freebsd.org Wed Mar 15 13:06:30 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 29A83D0C90C; Wed, 15 Mar 2017 13:06:30 +0000 (UTC) (envelope-from steven@pyro.eu.org) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [IPv6:2001:41c8:51:40::1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CA821AA2; Wed, 15 Mar 2017 13:06:29 +0000 (UTC) (envelope-from steven@pyro.eu.org) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=03a.2017; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=2VYylVX9OPcR1EjzvHUgdPRyShDuxjE+MpecT9gb4KQ=; b=KdVCo+MpL7yx9pSwUAB9GWZNMC+Dl26WIFXIokC1kM14KbYBxMvUiYfOpKlK+dLWDkKaMBJ54i4yMXhHM8brZ6nKq234R20+btoohQIIdaPaQM0GfdH1DND5JMKxSJ6th8D/zq678FTclxGVlxNMl1E4r4PkeCjecjw5N6t/9WL4F1E7ieQZX7L6idHlt77jtCoGCgufchXu/bEpr5J9TOQnuejNrRvD4aqBAT3nYAXZP4V6/gvs72PkIeqedm4LQVQrevjQbE4qi5SyuSLVdKJQGwQ4VKSn/dzp2YvA9x3objv6xA8V689eDqPG22543Gzm/hsdsCAAY3Zns4gEhg==; X-Spam-Status: No, score=-0.1 required=2.0 tests=BAYES_00, DKIM_ADSP_DISCARD, RP_MATCHES_RCVD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118] helo=smtp.ok24.net) by manchester-1.man.uk.cluster.ok24.net with esmtp (Exim 4.80) (envelope-from ) id 1co8d5-00017G-RC; Wed, 15 Mar 2017 13:06:22 +0000 Received: from kfreebsd-amd64.pyro.eu.org (kfreebsd-amd64.pyro.eu.org [IPv6:2a00:14f0:e033:2000::1]) by smtp.ok24.net (Postfix) with ESMTP id ADE113517AF; Wed, 15 Mar 2017 13:06:15 +0000 (GMT) Received: by kfreebsd-amd64.pyro.eu.org (Postfix, from userid 1000) id 964AF1CC6; Wed, 15 Mar 2017 13:06:15 +0000 (GMT) Date: Wed, 15 Mar 2017 13:06:15 +0000 From: Steven Chamberlain To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: arc4random weakness Message-ID: <20170315130615.GC25448@pyro.eu.org> References: <20170313220639.GB65190@pyro.eu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="R3G7APHDIzY6R/pk" Content-Disposition: inline In-Reply-To: <20170313220639.GB65190@pyro.eu.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2017 13:06:30 -0000 --R3G7APHDIzY6R/pk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven Chamberlain wrote: > Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded. Many, many thanks delphij+so for applying the latter change so quickly! Also it is great to see INHERIT_ZERO was added to mmap(2)! (It will avoid the overhead of a getpid(2) syscall on every call to arc4random_buf(3) to determine if reseeding is needed. That wasn't guaranteed reliable anyway; if you have forked twice, then by chance/manipulation the new pid *could* be the same as the ancestor's). Thanks! Regards, --=20 Steven Chamberlain steven@pyro.eu.org --R3G7APHDIzY6R/pk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCAAGBQJYyTxGAAoJEIzTM2ydu2Cc5V4MAIwiFty64DmrCkXJPyxYQ/LI M+yRfr94k7llkoi/asd/jCf1Argub3pAV5GY/D19DPVcGxw7QbwBfZyDrL6N7j2E PQaSu820zNVHjKqbzASFgquDeG8xGlg8DWliaZ2hnE7ebnlk4z0bjpsOgz6616uZ HOskQCheHOvpG3PmUolZguh1MngwuhGh38DcX4ewNU4JTus6VYR14CquQiuzts6y JpWB9XbouoZoKn4IwGKYaIAyk5/FfQ+HXya+seUWgXxNlvqsh3428Wh5vnSpvpTZ bKAkgOGzR7w1lU0QYm/yj6S+5CTA5K1/ap6QykhQS5Nu+KBKZECsaMHzypEqsiGG cyNmqOTS8aIGEonP4J/uMnis+2JJiUe6BLURbz7zk5e07Pln5yaxw3KOlnVVD+6D 9lbPzFkkeFuc6qiAYMe+gPeZKvHlZwtf9Ej1Di2LtvPDEYO6MXOIHvwtBCvDRMkB 24WkCt8htqxLp569bNkrB5WeU/Xk2gTwKxXXOX4uog== =KsfP -----END PGP SIGNATURE----- --R3G7APHDIzY6R/pk--