Skip to content

random generator, using arc4 api on Mac rather than "wasting" #6591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

random generator, using arc4 api on Mac rather than "wasting" #6591

wants to merge 1 commit into from

Conversation

devnexen
Copy link
Member

@devnexen devnexen commented Jan 9, 2021

file descriptors.

@nikic
Copy link
Member

nikic commented Jan 9, 2021
edited
Loading

cc @paragonie-scott (or is it @paragonie-security?)

I believe we allow arc4random_buf only on platforms where it uses a kernel generator. Is that the case on macos?

@devnexen
Copy link
Member Author

devnexen commented Jan 9, 2021

It is reseeded by kernel generator in regular basis.

@paragonie-security
Copy link
Contributor

From our understanding, arc4random_buf on OS X should be fine.

@nikic
Copy link
Member

nikic commented Jan 11, 2021

@paragonie-security Thanks for checking!

Now I remember that the original issue here were arc4random implementations based on RC4. According to https://security.stackexchange.com/questions/85601/is-arc4random-secure-enough/172905#172905 macos has an AES-based arc4random since macOS 10.2. Guess that's old enough to just allow it.

@paragonie-security
Copy link
Contributor

For flavor: arc4random originally used RC4, but it retconned as "A Reasonable Call 4 Randomness" and used AES or ChaCha-based CSPRNGs. (IIRC OpenBSD uses ChaCha.)

@php-pulls php-pulls closed this in 7a049cd Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@devnexen @nikic @paragonie-security