RE: [PATCH 2/2] reftable/stack: accept insecure random bytes

[<rsbecker@nexbridge.com>]

On January 7, 2025 3:56 PM, Junio C Hamano wrote:
>Patrick Steinhardt <ps@pks.im> writes:
>
>> The report was for NonStop, which uses OpenSSL as the backend for
>> randomness. In the preceding commit we have adapted that backend to
>> also return randomness in case the entropy pool is empty and the
>> caller passes the `CSPRNG_BYTES_INSECURE` flag. Do so to fix the issue.
>
>No kidding.
>
>This is calling rand(3).  The use of the resulting value is to fuzz the
delay before
>retrying, which wants NO CRYPTOGRAPHIC randomness.
>This callsite does not require it, but rand(3) is perfect for ensuring
>predictability/repeatability as well (via srand(3)).
>
>And it is not allowed to fail.

I don't think rand() is what is failing here. The call into OpenSSL is using
randomness
from PRNGD. A poorly configured, or overloaded instance of it will cause
this situation.
The ia64 platform for NonStop is using a standard PRNGD but it is being
overloaded
with a large volume of uses hitting that server. I think this is more of a
canary-in-the-coalmine situation, where we have just brought something to
light
that otherwise would be hard to recreate.

>Yet a platform replaces it with a function that returns an error or aborts?
What kind
>of nonsense is that?  Do we really need to cater to such an insanity?

NonStop has not replaced this call. What we did in OpenSSL is to use the x86
hardware randomizer, which is highly reliable and does not show this
problem. In
ia64, in OpenSSL, the PRNGD is generating randomness and that seems to be
not
reliable enough for git or OpenSSL when under significant load.

>Use of git_rand() here goes backwards against the more recent trend in
reftable/
>directory to wean the code off of the rest of Git by getting rid of
unnecessary
>dependency, doesn't it?
>
>I think [PATCH 1/2] makes sense regardless, though.  But shouldn't we be
pushing
>back this step, with "fix your rand(3)"?
>
>Thanks.
>
>> Reported-by: Randall S. Becker <rsbecker@nexbridge.com>
>> Signed-off-by: Patrick Steinhardt <ps@pks.im>
>> ---
>>  reftable/stack.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/reftable/stack.c b/reftable/stack.c index
>>
>6d0aa774e7e29d5366ed55df19725944f8eef792..572a74e00f9ed6040534e060
>652e
>> 72c26641749d 100644
>> --- a/reftable/stack.c
>> +++ b/reftable/stack.c
>> @@ -493,7 +493,7 @@ static int reftable_stack_reload_maybe_reuse(struct
>reftable_stack *st,
>>  		close(fd);
>>  		fd = -1;
>>
>> -		delay = delay + (delay * rand()) / RAND_MAX + 1;
>> +		delay = delay + (delay * git_rand(CSPRNG_BYTES_INSECURE)) /
>> +UINT32_MAX + 1;
>>  		sleep_millisec(delay);
>>  	}
>>
>> @@ -659,7 +659,7 @@ int reftable_stack_add(struct reftable_stack *st,
>> static int format_name(struct reftable_buf *dest, uint64_t min,
>> uint64_t max)  {
>>  	char buf[100];
>> -	uint32_t rnd = (uint32_t)git_rand(0);
>> +	uint32_t rnd = git_rand(CSPRNG_BYTES_INSECURE);
>>  	snprintf(buf, sizeof(buf), "0x%012" PRIx64 "-0x%012" PRIx64 "-%08x",
>>  		 min, max, rnd);
>>  	reftable_buf_reset(dest);

--Randall