Problems with CSPRNG in wrapper.c

Problems with CSPRNG in wrapper.c

[rsbecker]

I've hit an issue with git that has me stumped at a customer site - so I
have limited visibility on what is actually wrong. This is pretty urgent
that I resolve this.

In git/wrapper (lines 477 from :
       if (csprng_bytes(&v, sizeof(v)) < 0)
       	return error_errno("unable to get random bytes for temporary file");

First, I was not aware that csprng was a git dependency - not sure why
because we depend on OpenSSL_random that should return random bytes. Does
this still mean that there is a dependency on PRNGD, or is there another
dependency I am missing.

Should I get them to revert back to an older git version (which one)? Is a
patch needed?

Thanks,
Randall

--
Brief whoami: NonStop&UNIX developer since approximately
UNIX(421664400)
NonStop(211288444200000000)
-- In real life, I talk too much.

Re: Problems with CSPRNG in wrapper.c

[Junio C Hamano]

<rsbecker@nexbridge.com> writes:

> First, I was not aware that csprng was a git dependency ...

You can choose from implementations that depend on common external
libraries and system functions, but we have a fallback internal
implementation that only requires /dev/urandom.

See description for CSPRNG_METHOD in Makefile and 05cd988d (wrapper:
add a helper to generate numbers from a CSPRNG, 2022-01-17) for
additional background.

RE: Problems with CSPRNG in wrapper.c

[rsbecker]

On Monday, February 27, 2023 6:15 PM, Junio C Hamano wrote:
><rsbecker@nexbridge.com> writes:
>
>> First, I was not aware that csprng was a git dependency ...
>
>You can choose from implementations that depend on common external
libraries
>and system functions, but we have a fallback internal implementation that
only
>requires /dev/urandom.
>
>See description for CSPRNG_METHOD in Makefile and 05cd988d (wrapper:
>add a helper to generate numbers from a CSPRNG, 2022-01-17) for additional
>background.

I have already been down that path, but not successfully. /dev/urandom is
not available on the platform - never has, never will to my knowledge. This
does appear to work if PRNGD is correctly running, but I can't seem to get
that to work on this site. The config.mak.uname for NonStop does specify:

CSPRNG_METHOD = openssl

which should use OPENSSL_random(), shouldn't it? OpenSSL 3.0 uses the
_rdrand() builtin so should ever go to PRNGD, but it seems like this is
anyway. Debugging isn't possible as this is not on my own systems - and
things work here. Is there any kind of tracing I can do?

Re: Problems with CSPRNG in wrapper.c

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

On 2023-02-27 at 23:23:36, rsbecker@nexbridge.com wrote:
> I have already been down that path, but not successfully. /dev/urandom is
> not available on the platform - never has, never will to my knowledge. This
> does appear to work if PRNGD is correctly running, but I can't seem to get
> that to work on this site. The config.mak.uname for NonStop does specify:
> 
> CSPRNG_METHOD = openssl
> 
> which should use OPENSSL_random(), shouldn't it? OpenSSL 3.0 uses the
> _rdrand() builtin so should ever go to PRNGD, but it seems like this is
> anyway. Debugging isn't possible as this is not on my own systems - and
> things work here. Is there any kind of tracing I can do?

It actually uses RAND_bytes.  I've confirmed on my Debian sid/amd64
system that compiling with "make -j8 CSPRNG_METHOD=openssl" results in
the binary having a dependency on RAND_bytes.  (I used "nm -D".)

Does your system have an nm binary that you could use to verify the
linkage?  (OpenBSD says it has existed since Version 1 Unix, but that
doesn't mean it exists everywhere.)  Once you can verify the linkage,
you'll know whether the problem is OpenSSL not producing CSPRNG data or
whether the CSPRNG_METHOD is incorrect.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

RE: Problems with CSPRNG in wrapper.c

[rsbecker]

On Monday, February 27, 2023 7:12 PM, brian m. carlson wrote:
>On 2023-02-27 at 23:23:36, rsbecker@nexbridge.com wrote:
>> I have already been down that path, but not successfully. /dev/urandom
>> is not available on the platform - never has, never will to my
>> knowledge. This does appear to work if PRNGD is correctly running, but
>> I can't seem to get that to work on this site. The config.mak.uname for NonStop
>does specify:
>>
>> CSPRNG_METHOD = openssl
>>
>> which should use OPENSSL_random(), shouldn't it? OpenSSL 3.0 uses the
>> _rdrand() builtin so should ever go to PRNGD, but it seems like this
>> is anyway. Debugging isn't possible as this is not on my own systems -
>> and things work here. Is there any kind of tracing I can do?
>
>It actually uses RAND_bytes.  I've confirmed on my Debian sid/amd64 system that
>compiling with "make -j8 CSPRNG_METHOD=openssl" results in the binary having a
>dependency on RAND_bytes.  (I used "nm -D".)
>
>Does your system have an nm binary that you could use to verify the linkage?
>(OpenBSD says it has existed since Version 1 Unix, but that doesn't mean it exists
>everywhere.)  Once you can verify the linkage, you'll know whether the problem is
>OpenSSL not producing CSPRNG data or whether the CSPRNG_METHOD is incorrect.

I can confirm:
Called Procedures
    Calling Procedures
----------------------------------------------------------------------
 RAND_bytes
    csprng_bytes

So that's something good. I'm wondering why this problem is showing up because my x86 OpenSSL build passes FIPS which would not if it depended on PRNGD. Both platforms call git_mkstemps_mode from csprng_bytes, but that is expected. I have opened a separate case with OpenSSL, but all tests are passing there. It seems like git is ending up in the hardware randomizer code works if PRNGD is running but fails if PRNGD is not running. I am perplexed.