[PATCH v3] Seed random generator in main()

Andrew Bartlett abartlet at samba.org
Wed Jun 17 23:17:18 MDT 2015


On Wed, 2015-06-17 at 23:52 -0400, Simo wrote:
> On Thu, 2015-06-18 at 10:30 +1200, Andrew Bartlett wrote:
> > On Wed, 2015-06-17 at 09:49 -0400, Simo wrote:
> > > On Wed, 2015-06-17 at 15:38 +0200, Volker Lendecke wrote:
> > > > On Wed, Jun 17, 2015 at 09:36:00AM -0400, Simo wrote:
> > > > > On Wed, 2015-06-17 at 08:23 +0200, Volker Lendecke wrote:
> > > > > > On Wed, Jun 17, 2015 at 05:11:37PM +1200, Andrew Bartlett 
> > > > > > wrote:
> > > > > > > In other parts of Samba we just use the generate_random() 
> > > > > > > 
> > > > > > > function,
> > > > > > > which avoids needing to think about all this.  We have 
> > > > > > > cryptographic
> > > > > > > random numbers in Samba, we can just use those for this. 
> > > > > > > 
> > > > > > > We set up a PRNG using MD4 over a RC4 stream from 40 
> > > > > > > bytes of 
> > > > > > > random
> > > > > > > data.  It isn't the best, but it avoids the bad pattern 
> > > > > > > of 
> > > > > > > using
> > > > > > > srandom() et al, which will just trigger folks either re
> > > > > > > -using in more
> > > > > > > important places or alternately writing to us with 
> > > > > > > 'security' 
> > > > > > > warnings
> > > > > > > about using it. 
> > > > > > 
> > > > > > Seen from another angle: The BSD world seems to settle on
> > > > > > the arc4random family of functions. There's a libbsd
> > > > > > replacement on Linux for those. Shouldn't we get rid of our
> > > > > > own random number generator and just use that, possibly 
> > > > > > with
> > > > > > the libbsd code in libreplace?
> > > > > 
> > > > > Why are we not just using urandom ? Why do we want to get in 
> > > > > the
> > > > > business of guaranteeing proper random number generation ????
> > > > 
> > > > Portability?
> > > 
> > > krb5 runs on all platforms and uses cryptographically secure 
> > > PRNGs
> > > (urandom on Linux), perhaps we can use that libraries for random 
> > > number
> > > generation.
> > 
> > That's what I want to do, and have proposed twice now.  I guess I 
> > need
> > to come back with a patch :-).  
> > 
> > The reason for not just reading every byte from /dev/urandom was to
> > avoid it being drained excessively - we can use a lot of random 
> > bytes. 
> 
> No problem, /dev/urandom cannot be drained, only /dev/random may be, 
> and
> we do not need to use /dev/random.

We ended up with the current situation because on some build farm
hosts, we were using a lot of entropy, between buggy parts of the
libraries samba used (gnutls at the time) that were using /dev/random
and our own use of /dev/urandom.  So I made it seed the RC4 PRNG and
use that once we started to ask for more than 40 bytes of random data
in a process. 

You are correct that we don't 'drain' urandom, but we do reduce the
kernel's entropy count and make other non-samba users of /dev/random
more likely to block.


http://www.2uo.de/myths-about-urandom/

The compromises here are difficult, see both:

>From the random(4) manpage:

       The kernel random-number generator is designed to produce a
small amount of high-quality seed material  to  seed  a  cryptographic 
 pseudo-random  number  generator
       (CPRNG).  It is designed for security, not speed, and is poorly
suited to generating large amounts of random data.  Users should be
very economical in the amount of
       seed material that they read from /dev/urandom (and
/dev/random); unnecessarily reading large quantities of data from this
device will have  a  negative  impact  on
       other users of the device.

vs 

http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team         http://samba.org
Samba Development and Support, Catalyst IT   http://catalyst.net.nz/services/samba








More information about the samba-technical mailing list