Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jul 2014 21:06:31 +0100
From:      Steven Chamberlain <steven@pyro.eu.org>
To:        Leif Pedersen <bilbo@hobbiton.org>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: Speed and security of /dev/urandom
Message-ID:  <53C97E47.4030100@pyro.eu.org>
In-Reply-To: <CAK-wPOhUDhzB6mXJ4XSCN4O6VcyPG9dXqtQJkR3Eoj6Q_gZ=Xg@mail.gmail.com>
References:  <53C85F42.1000704@pyro.eu.org> <4E23BEEA-693A-4FA3-BE94-9BB82B49503A@vpnc.org> <CAK-wPOhuh_XUpQ9OZXB1UZjz6wQF=8gO2thWiBu9i3tt%2BKt7mQ@mail.gmail.com> <C9E21765-D47F-4D98-8C7A-FCD9922FD072@vpnc.org> <CAK-wPOhUDhzB6mXJ4XSCN4O6VcyPG9dXqtQJkR3Eoj6Q_gZ=Xg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 18/07/14 20:01, Leif Pedersen wrote:
> I believe one of Steven's points was (I'm fairly sure I understood him
> correctly) that neglecting to reseed after fork() has led to problems.

Yes, it's one of many things that has gone wrong in the past.

It's been pointed out to me that OpenBSD solved that particular issue
with MAP_INHERIT_ZERO:  the state of the arc4random PRNG is zeroed out
on forking, and it knows to reseed then.

FreeBSD since r227520 (2011-11-15), calls getpid() on every
arc4random_buf call, to see if the pid has changed since it seeded, and
thus reseed.  It was shown recently (in the context of LibreSSL
Portable) that this may not work in a contrived corner-case, so there
they added an atfork handler, but again might not always be called.

*If* getpid involves a syscall on every arc4random_buf call, that is
going to already going to limit its performance?  Would it really be any
slower to just return random bytes from the kernel, with the KERN_ARND
sysctl?  The overhead of currently having to initially and periodically
seed RC4, discard the early keystream, and apply that cipher thereafter,
would be gone.  The risk of the problem described above, or of
weaknesses in RC4, or implementation issues with arc4random's PRNG
seeding are also gone.

And if FreeBSD's kernel CSPRNG wasn't trusted already, the arc4random
PRNG is badly seeded and untrusted anyway.  arc4random wasn't doing
anything to supplement with entropy gathered from userland (which seems
to be the belt-and-braces approach taken by OpenSSL).

I don't suppose there's a risk of exhausting entropy by reading too much
via the sysctl, or else an unprivileged user could do that already.
Yarrow should already handle this.

I very much welcome critique here, I think that's a necessary part of
design and evolution of security code.  I think we should periodically
look at what we have to make sure it still holds up to scrutiny, even if
it 'aint broke (as far as we know).  Please point out any wrong
assumptions you think I've made, even if it seems obvious.

> will have exactly the
> same initial state if there is no provision to reseed the PRNG.

There is arc4random_stir, but an application could easily forget to do
that.  Users of libevent for example, which uses arc4random, doesn't
expose an API function to do an explicit stir if the application forks.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53C97E47.4030100>