Hi, I think it would be good for Debian to standardise on a single, good arc4random implementation, available to any application that wants to use it.
I'd like it to become ubiquitous, on all Debian arches (and eventually other distributions). We should ensure applications do find it and use it, instead of using risky fallbacks like rand(), getpid() and time(). (Scan build logs for "checking.*arc4random" for example). We could deprecate dozens of code copies, most of them unmaintained, some having known security flaws that were fixed in later versions. Looking further ahead, if we want to adopt sandboxing techniques, we may want alternatives to /dev/urandom or sysctl. That may be arch- specific, so it would be great if we only had to implement it in one library. The most obvious candidate to me is libbsd, which exports an arc4random and some other useful things. It has a permissive license, is very small and has no external dependencies. It would be important to make sure its arc4random is good, but my point it that it is better to have all eyes and effort concentrated on that one Debian package, than the current situation. There may be a POSIX standard agreed someday for posix_random(3) which could be easily implemented as a wrapper around arc4random or vice- versa. [http://austingroupbugs.net/view.php?id=859] More background information follows. What do others think about going in this direction; the Debian Security Team in particular? Thanks! OpenBSD's arc4random has evolved from a bare RC4 stream cipher, to an (safer?) revision discarding early keystream, now to ChaCha20. Its reseeding methods have been updated to defend against fd exhaustion or missing /dev/urandom, for lack of a certain sysctl on Linux, adding fallbacks in case even that doesnt work, and to detect forking (which has itself been reworked a couple of times after e.g. the getpid flaw Andrew Ayer reported). So we have embedded copies of arc4random and getentropy code throughout the Debian archive, some better than others: * in OpenSSH Portable's openbsd-compat/ * in OpenSMTPD's openbsd-compat/ * in OpenNTPD's compat/ * in signify-openbsd's arc4random.c * in LibreSSL Portable, if Debian ever has that. I've been warned to leave those alone, since OpenBSD is responsible for maintaining those code copies, and I expect they will do a good job of that. But I'm more concerned about: * getdns recently put copies in src/compat/ * libevent has a copy of old arc4random.c * libdumbnet has it in src/rand.c * epic5 has it in source/compat.c * isakmpd has it in sysdep/common/libsysdep/arc4random.c * gtk-gnutella has it in src/lib/arc4random.c * rdate has it in src/arc4random.c * pure-ftpd has it in src/alt_arc4random.c * samhain embeds it inline in src/dnmalloc.c * newlib has one in winsup/cygwin/libc/arc4random.cc, likely unused * ntp has a copy of old arc4random in sntp/libevent/arc4random.c (embedded code from OpenBSD within embedded copy of libevent) * icedove has the same thing in mozilla/ipc/chromium/src/third_party/libevent/arc4random.c * dnscrypt-proxy has it in src/libevent-modified/arc4random.c * cargo has an embedded copy of libressl sources having libressl/crypto/compat/arc4random.c And then there are situations where applications do... less desirable things when they don't have a good arc4random available. * librpcsecgss has this gem in clnttcp_create()/clntudp_bufcreate(), I hope it's nothing too important: https://codesearch.debian.net/results/arc4random%20package%3Alibrpcsecgss/page_0 #if defined (__linux__) || defined(__GLIBC__) call_msg.rm_xid = getpid() ^ now.tv_sec ^ now.tv_usec; #else call_msg.rm_xid = arc4random(); #endif * mediatomb does something similar: https://sources.debian.net/src/mediatomb/0.12.1-47-g7ab7616-1/tombupnp/threadutil/src/ThreadPool.c/?hl=376#L375 * qtwebkit-opensource-src calls currentTime()*10000 an EntropySource: https://sources.debian.net/src/qtwebkit-opensource-src/5.5.1%2Bdfsg-2/Source/WTF/wtf/FastMalloc.cpp/?hl=523#L523 * qtwebkit even has a comment that "ASLR currently only works on darwin (due to arc4random)", applies to openjfx also: https://sources.debian.net/src/qtwebkit/2.3.4.dfsg-6/Source/WTF/wtf/OSAllocatorPosix.cpp/?hl=107#L94 * istgt falls back from arc4random() > srandomdev() > pid XOR time: https://sources.debian.net/src/istgt/0.4~20111008-3/src/istgt_misc.c/?hl=489#L469 * exim4 does the same thing: https://sources.debian.net/src/exim4/4.86-7/src/expand.c/?hl=970#L947 * opendnssec falls back to random(): https://sources.debian.net/src/opendnssec/1:1.4.8.2-1/signer/src/shared/duration.c/?hl=427#L424 * ucarp too: https://sources.debian.net/src/ucarp/1.5.2-2/src/carp.c/?hl=232#L231 * belle-sip too: https://sources.debian.net/src/belle-sip/1.4.1-1/src/dns.c/?hl=353#L353 * nsd too: https://sources.debian.net/src/nsd/4.1.7-1/util.c/?hl=914#L914 * syrep too, "I hope this is random enough": https://sources.debian.net/src/syrep/0.9-4.2/src/mkdtemp.c/?hl=39#L39 * linux-ftpd too: https://sources.debian.net/src/linux-ftpd/0.17-35/ftpd/ftpd.c/?hl=1130#L1129 * apr too: https://sources.debian.net/src/apr/1.5.2-3/file_io/unix/mktemp.c/?hl=70#L70 * isomaster too: https://sources.debian.net/src/isomaster/1.3.13-1/editfile.c/?hl=512#L517 * nsd too: https://sources.debian.net/src/nsd/4.1.7-1/server.c/?hl=908#L908 * polarssl falls back to rand()! Only for testsuite I think. https://sources.debian.net/src/polarssl/1.3.9-2.1/library/rsa.c/?hl=1520#L1520 * bind9 uses rand(), seeded by pid XOR time: https://sources.debian.net/src/bind9/1:9.9.5.dfsg-9/lib/isc/random.c/?hl=98#L76 * mediatomb too: https://sources.debian.net/src/mediatomb/0.12.1-47-g7ab7616-1/tombupnp/threadutil/src/ThreadPool.c/?hl=376#L378 * mcabber too, only seeded by time(): https://sources.debian.net/src/mcabber/0.10.2-1/mcabber/xmpp.c/?hl=1872#L1871 * libxdmcp too: https://sources.debian.net/src/libxdmcp/1:1.1.2-1.1/Key.c/?hl=77#L68 * wdm too: https://sources.debian.net/src/wdm/1.28-18/src/wdm/genauth.c/?hl=108#L108 * cln too: https://sources.debian.net/src/cln/1.3.4-1/src/base/random/cl_random_from.cc/?hl=95#L85 * libice too, seems risky: https://sources.debian.net/src/libice/2:1.0.9-1/src/iceauth.c/?hl=68#L68 * llvm-toolchain-3.6 has slightly better fallback for lack of arc4random(): https://sources.debian.net/src/llvm-toolchain-3.6/1:3.6.2-3/lib/Support/Unix/Process.inc/?hl=444#L422 * nmh does the same in sbr/m_rand.c * pgbouncer has its own embededded Keccak or ChaCha20 as fallback for lack of arc4random, and its own fallback for lack of getentropy: https://sources.debian.net/src/pgbouncer/1.7-1/lib/usual/crypto/csrandom.c/#L48 * vnc4 falls back to /dev/urandom but doesn't look robust in case it can't be opened/read: https://sources.debian.net/src/vnc4/4.1.1%2BX4.3.0-37.6/unix/xc/programs/xdm/genauth.c/?hl=118#L118 * php7.0 also tries the getrandom syscall proposed for POSIX: https://sources.debian.net/src/php7.0/7.0.1-1/ext/standard/random.c/?hl=96#L95 * libsodium too: https://sources.debian.net/src/libsodium/1.0.3-1/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c/?hl=52#L267 * openssl uses the strong arc4random on OpenBSD, otherwise falls back to something that has been... problematic before in Debian. ... you get the idea. Regards, -- Steven Chamberlain ste...@pyro.eu.org
signature.asc
Description: Digital signature
