Discussion:
arc4random_addrandom
(too old to reply)
Jeffrey Walton
2014-02-19 05:14:29 UTC
Permalink
Raw Message
This does not quite look right:

ARC4RANDOM_EXPORT void
arc4random_addrandom(const unsigned char *dat, int datlen)
{
int j;
_ARC4_LOCK();
if (!rs_initialized)
arc4_stir();
for (j = 0; j < datlen; j += 256) {
/* arc4_addrandom() ignores all but the first 256 bytes of
* its input. We want to make sure to look at ALL the
* data in 'dat', just in case the user is doing something
* crazy like passing us all the files in /var/log. */
arc4_addrandom(dat + j, datlen - j);
}
_ARC4_UNLOCK();
}

It looks like its a O(n^2) algorithm, and it could be painful if all
the data in /var/log is passed in.

Iter 0:
data + 0, datalen - 0
Iter 1:
data + 256, datalen - 256
Iter 2:
data + 512, datalen - 512
...

Pictorially, I think its:

****************
************
********
...

It feels like it should be:

k = min(256, datlen - j);
arc4_addrandom(dat + j, k);

Jeff
***********************************************************************
To unsubscribe, send an e-mail to ***@freehaven.net with
unsubscribe libevent-users in the body.
Yuriy Kaminskiy
2014-02-19 17:32:17 UTC
Permalink
Raw Message
Post by Jeffrey Walton
ARC4RANDOM_EXPORT void
arc4random_addrandom(const unsigned char *dat, int datlen)
{
int j;
_ARC4_LOCK();
if (!rs_initialized)
arc4_stir();
for (j = 0; j < datlen; j += 256) {
/* arc4_addrandom() ignores all but the first 256 bytes of
* its input. We want to make sure to look at ALL the
* data in 'dat', just in case the user is doing something
* crazy like passing us all the files in /var/log. */
arc4_addrandom(dat + j, datlen - j);
}
_ARC4_UNLOCK();
}
It looks like its a O(n^2) algorithm, and it could be painful if all
It looks - but it is not. Please re-read above comment again.
Post by Jeffrey Walton
the data in /var/log is passed in.
data + 0, datalen - 0
arc4_addrandom process only MIN(datalen - 0, 256)

[etc]
Post by Jeffrey Walton
k = min(256, datlen - j);
arc4_addrandom(dat + j, k);
This logic is already in the arc4_addrandom()

BTW, openbsd already transitioned their arc4random implementation from RC4 to
CHACHA.
Probably, libevent should follow suit.
If evutil_rand claim it is "secure PRNG code", it should be really "secure
PRNG"; RC4 is not completely broken yet, but there are some rather troubling
attacks, and it is already considered unsafe for any non-legacy use (and there
are no backward-compatibility issues in PRNG).

Loading...