From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from secure.elehost.com (secure.elehost.com [185.209.179.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65B0B1DF27C for ; Tue, 7 Jan 2025 23:54:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.209.179.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736294061; cv=none; b=agCDb3QNGh6lqXd6wIiWSvvBeXi4F2S6zP9JDlgeSvUQpR/vOE9xfY+BU1kvhV5Sosqt0NaGIfxWMrv6isRe2t5Z7jCqCSTYiJGlrH0StpSYSX+zNnjxb3Jr1+aW4BElHyyqgc/3CRikO3ZogHCaMDsDBQNfVyjsv+Z/x6iSGsY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736294061; c=relaxed/simple; bh=MSPaMgJjwsekfSKDLGBQFOHr2rTZnIy6r5U2gU68jSo=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=icyyrqHX+YJEGoSjtWp27WaYZDMG05/9GEl/RU5LkSiw5PitOPluvYPKUQkfC1FWtfrFnLi1Rfk+fWfPudaSExWwolPB7JYh1oZ7blr0JVDMBUa4qcVKLi1WN8h30Qck2fECaTsIr7oCM7E3Do9SZaOKBymLGi0mQ21Xqt34k9U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nexbridge.com; spf=pass smtp.mailfrom=nexbridge.com; arc=none smtp.client-ip=185.209.179.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nexbridge.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nexbridge.com X-Virus-Scanned: Debian amavisd-new at secure.elehost.com Received: from Mazikeen (pool-99-228-67-183.cpe.net.cable.rogers.com [99.228.67.183]) (authenticated bits=0) by secure.elehost.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 507Ns6N61622829 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 Jan 2025 23:54:07 GMT Reply-To: From: To: "'brian m. carlson'" , "'Patrick Steinhardt'" Cc: , "'Randall S. Becker'" References: <20250107-b4-pks-reftable-csprng-v1-0-6109a54a8756@pks.im> In-Reply-To: Subject: RE: [PATCH 0/2] reftable/stack: stop dying on exhausted entropy pool Date: Tue, 7 Jan 2025 18:54:02 -0500 Organization: Nexbridge Inc. Message-ID: <00ac01db615f$70b72600$52257200$@nexbridge.com> Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKra1ik1fhxhiR8lx9L1yKHV+swtwK/d598sVXr+MA= Content-Language: en-ca X-Antivirus: Norton (VPS 250107-4, 1/7/2025), Outbound message X-Antivirus-Status: Clean On January 7, 2025 6:22 PM, brian m. carlson wrote: >On 2025-01-07 at 15:26:58, Patrick Steinhardt wrote: >> Hi, >> >> this small patch series fixes the issue reported by Randall [1], = where >> an exhausted entropy pool can cause us to die when writing a new = table >> to the reftable stack. I _think_ that this is only an issue with the >> OpenSSL backend of `csprng_bytes()`: >> >> - `arc4random_buf()` never returns an error. >> >> - `getrandom()` pulls from "/dev/urandom" by default. >> >> - `getentropy()` seems to block when there is not enough randomness >> available. >> >> - `GtlGenRandom()` I cannot really tell. >> >> - The fallback reads from "/dev/urandom", which also returns bytes = in >> case the entropy pool is drained. >> >> So OpenSSL's `RAND_bytes()` seems to be the only one that returns an >> error when the entropy pool is empty. I did wonder whether we even >> need to introduce the new flag in the first place, or whether we >> cannot just use `RAND_pseudo_bytes()` unconditionally. But I'm a bit >> uneasy about it given that OpenSSL has this doc: >> >> RAND_pseudo_bytes() puts num pseudo-random bytes into buf. >> Pseudo-random byte sequences generated by RAND_pseudo_bytes() = will >> be unique if they are of sufficient length, but are not = necessarily >> unpredictable. They can be used for non-cryptographic purposes = and >> for certain purposes in cryptographic protocols, but usually not = for >> key generation etc. >> >> It might be too easy to accidentally rely on `csprng_bytes()` where = it >> actually requires strong cryptographic data, so I was erring on the >> side of caution. > >The reason I didn't use RAND_pseudo_bytes is because it's been = deprecated since >OpenSSL 1.1.0 and RAND_bytes uses a CSPRNG just like RAND_pseudo_bytes = as of >that version. Once it's seeded, it should be able to generate plenty = of bytes, >because I believe it uses a CTR-DRBG, which only needs to be reseeded = after 2^48 >bytes (which is far more than we should be using). > >We can full well use RAND_pseudo_bytes, but all operating systems = should provide >an appropriate entropy source that can provide 256 bits of entropy on = startup. >arc4random will just kill the process if it can't seed itself, so your = changes won't >actually prevent dying on a lack of entropy. > >I don't want an option that chooses "insecure" bytes. My preference is = that we >require people use a different backend or an up-to-date OpenSSL version = that >shouldn't have this problem. We can use RAND_pseudo_bytes if we really = need to >support older versions, but there are also no major operating systems = which >require that old of a version (CentOS 7, which is dead, used OpenSSL = 1.0.2, and >CentOS 8 uses 1.1.1k), so it's probably not within our support policy = to do that. > >Note also that if OpenSSL is being used for TLS, a lack of entropy will = result in TLS >not working, which means that Git will be randomly broken on that = system, which is >not really an experience that we want to encourage, so that should be = taken into >account. > >Can we get some more information about what version of OpenSSL is being = used >and what the system entropy source is? In my situation, OpenSSL 3.0.11 on ia64. 3.4.1 and 3.0.13 on x86 (x86 = works fine Because OpenSSL uses hardware. On ia64, we end up on PRNGD, which does = fail.