Re: [PATCH 0/2] reftable/stack: stop dying on exhausted entropy pool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2025-01-08 at 07:18:52, Patrick Steinhardt wrote:
> You reported in [1] that a couple more tests are indeed failing, not
> only t0610. That changes things in my opinion as it shows that this is
> not a localized issue in the reftable library, but likely in multiple
> callsites where we use randomness. So my current patch series is not
> sufficient as it only fixes up the reftable codebase. But in the case
> where it's a general issue I tend to agree with brian, because I don't
> want to play whack-a-mole with all the callsites of `git_rand()` where
> we can indeed use insecure bytes.
> 
> Honestly, this rather makes me want to remove the OpenSSL backend for
> our CSRNG completely. NonStop is the only platform that uses it right
> now, and it seems to be easy to misconfigure. All the other backends we
> have don't have the same issue as explained further up in my message. So
> does NonStop support any of the alternative backends that Git has, like
> `arc4random_buf()`, `getrandom()`, `getentropy()` or reading from
> "/dev/urandom"?

OpenSSL's backend is only as good as the system entropy source, which,
apparently in the case of PRNGD, is not very good.  The last release of
PRNGD was in 2007 apparently, so I don't think we should hold our breath
for a fix.

Or, of course, it could be simply that prngd works just fine and there
aren't enough sources for it.  If the machine has an analog microphone
input that isn't plugged in, streaming some data from that might be a
good source, since that will be noisy.  A second of recording signed
16-bit PCM data as 48 kHz might provide at least 64 bits of entropy[0].

I will say that libbsd provides a fallback implementation for its
getentropy code, which would allow the use of arc4random as a backend.
I know there were some portability problems with getting that to run on
NonStop, and of course I provide no guarantees about its suitability or
security, but it does appear that there is some alternative if the
porting problems can be overcome.  We explicitly have support for libbsd
in the Makefile already.

That doesn't avoid the problem of TLS and SSH not working, but it may
get the tests passing.

[0] That's 750 samples per bit of entropy, which I think should be
reasonably conservative.
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux