Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118299 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 66818 invoked from network); 25 Jul 2022 09:16:35 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Jul 2022 09:16:35 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 29EDB1804BD for ; Mon, 25 Jul 2022 04:14:21 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Jul 2022 04:14:20 -0700 (PDT) Received: by mail-oi1-f182.google.com with SMTP id n133so2934355oib.0 for ; Mon, 25 Jul 2022 04:14:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=W2w8x5ZHFvwLWp6Rb/YB1FCVwUgQJ2W5G48FGKTF/lU=; b=TXuja23F6r0Y78ax5m8Sa0xLJD2DtQCh5cz766jGo2CQxZqgkRcOcDvZcxuUNdVmD+ P8ot9DgNvnu46IwbQEzs42QnXeOoQL4wXRwwYUpXDvRBDueAXlC2weplHILueAHwHkzF Ep+50Jk9EqltRmKs96Yg6ytVKtmTO3MEQpgJX8e81pYl+m9dTF1+vxHZjcAYzxEyY1+m uZY9+vjbZmMfpc4b5jFlDTWuzZp4T9qLy5DbuRw3I++R8czYftVoh5+/zgcJ9IDfLYqr UKlE9Lgxl6o7QtzyNZ6tEW69V4IIYLa2Gy70yyrnD1t/oxMYkzxD4EdPb6DCam2acMa0 uYJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=W2w8x5ZHFvwLWp6Rb/YB1FCVwUgQJ2W5G48FGKTF/lU=; b=QC5+aXSoyMvPK0FZgphyACv2Zg/FPR1munwMGhiQxHUl0sD4szOhJEIhB+PAYM09Bw v7/x5rl7sE5q2eTNt+2qirf1WeDP+6j2UxCLZ0yaVufhy19wYSpDrP53bbrgeE0QLlVt KHF3SXObyoVeViSHLvzIG+3DYVPoNpcjdaaROAiMcXmrItZEcvA9k3wVjv5S4AxCBxMQ 1MY1iXM1/3VYhNmEcPmIjcYV6qDcfjPyg/To0QNvnONpMrBCWD4XZNjivPwaF2M5adWI WO5SVFx5SmPyOAgXpUjEBJuXgj2KA/hHKcSaUQ0EsvVYtggnmIyG7lcqrX3xhxPDmzmv Yt1Q== X-Gm-Message-State: AJIora/1ePa/jjTiS3a/ok7hZ6csi3x1+91p9MOP1P/gxU8WXMTRcqKx H7CTqGRd1sSfnjW/0NpBy7HW/iWMKOTqJDKYk0UBd9eQW+A= X-Google-Smtp-Source: AGRyM1tttyYXo/UZ94iOf+aWGEiGjtxZ8Z5IfJnXJnpBbzeXHQCehVJZkAnK1jvM5Ip0YnpDuOguR3yXX7ONB+oejoQ= X-Received: by 2002:aca:5dc6:0:b0:33a:25e:8d51 with SMTP id r189-20020aca5dc6000000b0033a025e8d51mr5612120oib.258.1658747659821; Mon, 25 Jul 2022 04:14:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 25 Jul 2022 20:14:09 +0900 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP internals Content-Type: multipart/alternative; boundary="00000000000009282e05e49f49c8" Subject: Re: [PHP-DEV] What do you think CSPRNG in PHP From: zeriyoshi@gmail.com (Go Kudo) --00000000000009282e05e49f49c8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2022=E5=B9=B47=E6=9C=8817=E6=97=A5(=E6=97=A5) 6:33 Tim D=C3=BCsterhus : > Hi > > On 7/15/22 17:54, Go Kudo wrote: > > However, there are several challenges to this. > > > > - Increased maintenance costs > > - Requires optimization for CPU architecture > > - Requires familiarity with CSPRNG > > > > PHP already bundles xxHash and appears ready to make this happen. > > > > Also, an appropriate CSPRNG implementation may be able to resolve the > > current complex macro branching. > > > > What do you think about this? > > This would be a strong no from my side. There's all types of failure > modes that decrease the security of the CSPRNG (i.e. making it insecure) > and we really don't want to be the ones to blame if something goes > wrong. And historically many non-kernel CSPRNGs later proved to be > insecure in specific situations. > > I also would assume that for a typical PHP application both of the > following is true: > - The majority of the requests don't need any randomness. > - The majority of the requests that *need* randomness don't need any > significant amount of randomness. > - The majority of the requests that need significant amounts of > randomness are fine with a regular PRNG (e.g. Xoshiro or Pcg). > - The cost of a few getrandom() syscalls is not really measurable > compared to the time spent waiting for the database, file IO or template > rendering. > > Attempting to optimize the speed of the CSPRNG is premature > optimization. That also the reason why I suggested to use the 'Secure' > engine by default in the Randomizer: It's a safe default choice for the > vast majority of users. > > Personally I likely wouldn't have merged the PR in question for the same > reasons. But at least in that case glibc is at fault :-) > > Best regards > Tim D=C3=BCsterhus > Hi Tim. You are right. Implementing a CSPRNG on your own obviously increases maintenance costs and security risks. However, I still think the overhead of the getrandom syscall in a Linux environment is significant and should be considered. I would suggest deprecating mt_srand()/srand() and using php_random_bytes() in sessions etc. for PHP 8.3 for better security. However, as Nikita mentioned before, the overhead of the getrandom syscall in a Linux environment is significant and this proposal may result in performance degradation. https://github.com/php/php-src/commit/53ee3f7f897f7ee33a4c45210014648043386= e13 Therefore, I have created a PoC to buffer php_random_bytes. This has resulted in a significant performance improvement. https://github.com/zeriyoshi/php-src/tree/random_buf ``` # perf result of current implementation: Samples: 120 of event 'cpu-clock:pppH', Event count (approx.): 30000000 Overhead Command Shared Object Symbol 32.50% php [kernel.kallsyms] [k] preempt_count_sub 30.00% php libc.so.6 [.] syscall 18.33% php [kernel.kallsyms] [k] do_el0_svc 2.50% php php [.] execute_ex 1.67% php [kernel.kallsyms] [k] __this_cpu_preempt_check 1.67% php [kernel.kallsyms] [k] __uaccess_mask_ptr 1.67% php [kernel.kallsyms] [k] _raw_spin_unlock_irqrestore 0.83% php [kernel.kallsyms] [k] __arm64_sys_getrandom 0.83% php [kernel.kallsyms] [k] __kern_my_cpu_offset 0.83% php [kernel.kallsyms] [k] __mod_lruvec_state 0.83% php [kernel.kallsyms] [k] __mod_memcg_state 0.83% php [kernel.kallsyms] [k] __next_zones_zonelist 0.83% php [kernel.kallsyms] [k] arch_local_irq_restore 0.83% php [kernel.kallsyms] [k] arch_local_irq_save 0.83% php [kernel.kallsyms] [k] check_stack_object 0.83% php ld-linux-aarch64.so.1 [.] 0x000000000000a260 0.83% php php [.] php_random_bytes 0.83% php php [.] syscall@plt 0.83% php php [.] zend_hash_add 0.83% php php [.] zend_hash_graceful_reverse_destroy 0.83% php php [.] zend_string_init_interned_permanent $ time ./sapi/cli/php -r 'for ($i =3D 0; $i < 65535; $i++){ random_bytes(4)= ; }' real 0m0.069s user 0m0.025s sys 0m0.044s # PoC result: Samples: 19 of event 'cpu-clock:pppH', Event count (approx.): 4750000 Overhead Command Shared Object Symbol 31.58% php [kernel.kallsyms] [k] __flush_cache_user_range 15.79% php php [.] _efree 10.53% php php [.] zend_register_functions 5.26% php [kernel.kallsyms] [k] __rcu_read_unlock 5.26% php [kernel.kallsyms] [k] page_add_file_rmap 5.26% php [kernel.kallsyms] [k] pfn_valid 5.26% php [kernel.kallsyms] [k] preempt_count_sub 5.26% php libc.so.6 [.] cfree 5.26% php libc.so.6 [.] 0x0000000000097b40 5.26% php php [.] execute_ex 5.26% php php [.] zend_register_constant $ time ./sapi/cli/php -r 'for ($i =3D 0; $i < 65535; $i++){ random_bytes(4)= ; }' real 0m0.016s user 0m0.009s sys 0m0.007s ``` I think this is a safe implementation due to the nature of CSPRNG, what do you think? Best Regards, Go Kudo --00000000000009282e05e49f49c8--