From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 107891F4B4 for ; Tue, 12 Jan 2021 01:06:56 +0000 (UTC) Received: from localhost ([::1]:59294 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kz898-0002ph-T4 for normalperson@yhbt.net; Mon, 11 Jan 2021 20:06:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46306) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kz895-0002pJ-DJ for bug-gnulib@gnu.org; Mon, 11 Jan 2021 20:06:51 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:34540) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kz892-0002h3-TB for bug-gnulib@gnu.org; Mon, 11 Jan 2021 20:06:50 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 872C716010A; Mon, 11 Jan 2021 17:06:44 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id DysNTBLxjoxy; Mon, 11 Jan 2021 17:06:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 56438160110; Mon, 11 Jan 2021 17:06:43 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KwqpSXBiTdyj; Mon, 11 Jan 2021 17:06:43 -0800 (PST) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2347B16010A; Mon, 11 Jan 2021 17:06:43 -0800 (PST) To: Adhemerval Zanella References: <20210104170349.3681241-1-adhemerval.zanella@linaro.org> <20210104170349.3681241-2-adhemerval.zanella@linaro.org> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [PATCH 2/2] posix: Improve randomness on try_tempname_len Message-ID: <689b83fc-f990-f553-f463-7376c211a676@cs.ucla.edu> Date: Mon, 11 Jan 2021 17:06:42 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------19F305527FB5C9102D5936A6" Content-Language: en-US Received-SPF: pass client-ip=131.179.128.68; envelope-from=eggert@cs.ucla.edu; helo=zimbra.cs.ucla.edu X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org, bug-gnulib@gnu.org Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" This is a multi-part message in MIME format. --------------19F305527FB5C9102D5936A6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 1/11/21 4:29 AM, Adhemerval Zanella wrote: > The idea is to always issue getrandom for __GT_DIR or __GT_FILE on firs= t try, > as you suggested initially [1]. I followed your idea [2]:... > [1]=20 https://sourceware.org/pipermail/libc-alpha/2020-September/117535.html > [2] https://sourceware.org/pipermail/libc-alpha/2020-September/117539.h= tml Ah, thanks, I'd forgotten about that conversation. I looked at the patch=20 =20 again. A couple of small things. First, it uses bool so needs to include=20 stdbool.h. Second, the generated code's a bit smaller if we call=20 random_bits only once. I added those two changes and installed the=20 attached patch to Gnulib master on savannah, with the idea being that=20 Gnulib's tempname.c can be identical to glibc's. --------------19F305527FB5C9102D5936A6 Content-Type: text/x-patch; charset=UTF-8; name="0001-tempname-consume-less-entropy.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0001-tempname-consume-less-entropy.patch" =46rom 23c0672c281a949c254ef0c173eab987ab876e29 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 11 Jan 2021 16:46:12 -0800 Subject: [PATCH] tempname: consume less entropy Derived from a glibc patch proposed by Adhemerval Zanella in: https://sourceware.org/pipermail/libc-alpha/2021-January/121302.html * lib/tempname.c: Include stdbool.h. (random_bits): New arg use_getrandom. (try_tempname_len): Skip getrandom on the first try, unless __GT_NOCREATE. * modules/tempname (Depends-on): Add stdbool. --- ChangeLog | 11 +++++++++++ lib/tempname.c | 17 ++++++++++++++--- modules/tempname | 1 + 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6f5295b4..0d0144242 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2021-01-11 Paul Eggert + + tempname: consume less entropy + Derived from a glibc patch proposed by Adhemerval Zanella in: + https://sourceware.org/pipermail/libc-alpha/2021-January/121302.html + * lib/tempname.c: Include stdbool.h. + (random_bits): New arg use_getrandom. + (try_tempname_len): Skip getrandom on the first try, + unless __GT_NOCREATE. + * modules/tempname (Depends-on): Add stdbool. + 2021-01-10 Bruno Haible =20 lchmod-tests: Fix link error. diff --git a/lib/tempname.c b/lib/tempname.c index f199b25a7..5f804b38d 100644 --- a/lib/tempname.c +++ b/lib/tempname.c @@ -22,6 +22,7 @@ =20 #include #include +#include =20 #include =20 @@ -77,11 +78,11 @@ typedef uint_fast64_t random_value; #define BASE_62_POWER (62LL * 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62= ) =20 static random_value -random_bits (random_value var) +random_bits (random_value var, bool use_getrandom) { random_value r; /* Without GRND_NONBLOCK it can be blocked for minutes on some systems= =2E */ - if (__getrandom (&r, sizeof r, GRND_NONBLOCK) =3D=3D sizeof r) + if (use_getrandom && __getrandom (&r, sizeof r, GRND_NONBLOCK) =3D=3D = sizeof r) return r; #if _LIBC || (defined CLOCK_MONOTONIC && HAVE_CLOCK_GETTIME) /* Add entropy if getrandom did not work. */ @@ -269,6 +270,13 @@ try_tempname_len (char *tmpl, int suffixlen, void *a= rgs, /* How many random base-62 digits can currently be extracted from V. = */ int vdigits =3D 0; =20 + /* Whether to consume entropy when acquiring random bits. On the + first try it's worth the entropy cost with __GT_NOCREATE, which + is inherently insecure and can use the entropy to make it a bit + less secure. On the (rare) second and later attempts it might + help against DoS attacks. */ + bool use_getrandom =3D tryfunc =3D=3D try_nocreate; + /* Least unfair value for V. If V is less than this, V can generate BASE_62_DIGITS digits fairly. Otherwise it might be biased. */ random_value const unfair_min @@ -292,7 +300,10 @@ try_tempname_len (char *tmpl, int suffixlen, void *a= rgs, if (vdigits =3D=3D 0) { do - v =3D random_bits (v); + { + v =3D random_bits (v, use_getrandom); + use_getrandom =3D true; + } while (unfair_min <=3D v); =20 vdigits =3D BASE_62_DIGITS; diff --git a/modules/tempname b/modules/tempname index 27b0d3d23..4779735d9 100644 --- a/modules/tempname +++ b/modules/tempname @@ -17,6 +17,7 @@ libc-config lstat mkdir stdalign +stdbool stdint sys_stat time --=20 2.27.0 --------------19F305527FB5C9102D5936A6--