Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Ole Tange Newsgroups: gnu.bash.bug Subject: Re: $RANDOM not Cryptographically secure pseudorandom number generator Date: Mon, 3 Dec 2018 00:13:31 +0100 Lines: 57 Approved: bug-bash@gnu.org Message-ID: References: <868cc2da-cf67-298f-4640-ab1afcf857e0@case.edu> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1543792436 2139 208.118.235.17 (2 Dec 2018 23:13:56 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bug-bash To: Chet Ramey Envelope-to: bug-bash@gnu.org X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=tIRpa5f6qUqtfUf5mBHZUX6eJQIP3yapUb4BRvlrpks=; b=gZOlfMoT+X43MxgAanw0Q2OXLcyt2oA9fgWpbHaADPxsdQJCP5LVu/ydd+aaqkOskn uLquCOMNDAg1PKPqH4zvaSpWDE1lyIYlvPcChFJFEQ5FPJlkoEvNwBR2sfIaWYG9c0/5 57XWp5qaEkkuvlASGq9KQU2QRokO4L5dy5ZYyZuGXnhSbZK3gRZAK54Wcj/9ITH40DM/ 8Z0uALAchKu6PyDoL2a9Ug944JlYOEhh/gSx7FOHERoQGT6A9khvCJ71wvGv9tcVS5kJ zbOsBAl7O6X0CIkWg1jFVWAdmroI2aYjhZv/t+7tjMNaw6oCiPvLfeB3WdqT0irq9NOn EiVA== X-Gm-Message-State: AA+aEWa5TT96X0neQ9pOs6ymBjHAUGrtmkdSkHDe8/4FlBzGIv5awnmV rQ8QHF4H1o2TDwadhUZ47rxwiqGTjnjK1nTRL0Q= X-Google-Smtp-Source: AFSGD/WWMQQ61q0yk5FDRADKqDM3hVOORsihpimA2IWxeqKAVipt2A0zJ8vlfAOh1onzJaJjmCKSyN3dpSLwCwBA0g0= X-Received: by 2002:a24:4706:: with SMTP id t6mr5670905itb.109.1543792423554; Sun, 02 Dec 2018 15:13:43 -0800 (PST) In-Reply-To: <868cc2da-cf67-298f-4640-ab1afcf857e0@case.edu> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.166.171 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:14871 On Wed, Nov 21, 2018 at 11:45 PM Chet Ramey wrote: > On 11/21/18 3:07 PM, Ole Tange wrote: > > 'brand' in variables.c is comparable in size to ChaCha20 and ChaCha20 > > is not completely broken: > > https://en.wikipedia.org/wiki/Salsa20 > > > > Could we please replace 'brand' with ChaCha20? > > What is your application that you need something more complicated than > the existing PRNG? I do not have that currently, but it seems like a fairly small change and it seems odd to have modern software not use modern algorithms. Git's use of SHA1 seems to be a prime example of what can go wrong: https://shattered.io/ If you look at the code it is really not much bigger: #define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) #define QR(a, b, c, d) ( \ a +=3D b, d ^=3D a, d =3D ROTL(d,16), \ c +=3D d, b ^=3D c, b =3D ROTL(b,12), \ a +=3D b, d ^=3D a, d =3D ROTL(d, 8), \ c +=3D d, b ^=3D c, b =3D ROTL(b, 7)) #define ROUNDS 20 void chacha_block(uint32_t out[16], uint32_t const in[16]) { int i; uint32_t x[16]; for (i =3D 0; i < 16; ++i) x[i] =3D in[i]; // 10 loops =C3=97 2 rounds/loop =3D 20 rounds for (i =3D 0; i < ROUNDS; i +=3D 2) { // Odd round QR(x[0], x[4], x[ 8], x[12]); // column 0 QR(x[1], x[5], x[ 9], x[13]); // column 1 QR(x[2], x[6], x[10], x[14]); // column 2 QR(x[3], x[7], x[11], x[15]); // column 3 // Even round QR(x[0], x[5], x[10], x[15]); // diagonal 1 (main diagonal) QR(x[1], x[6], x[11], x[12]); // diagonal 2 QR(x[2], x[7], x[ 8], x[13]); // diagonal 3 QR(x[3], x[4], x[ 9], x[14]); // diagonal 4 } for (i =3D 0; i < 16; ++i) out[i] =3D x[i] + in[i]; } Can you elaborate on why you think it is a bad idea to change an insecure PRNG into a non-broken one? /Ole