[PATCH v3] Seed random generator in main()

Simo simo at samba.org
Thu Jun 18 06:53:23 MDT 2015


On Thu, 2015-06-18 at 17:17 +1200, Andrew Bartlett wrote:
> On Wed, 2015-06-17 at 23:52 -0400, Simo wrote:
> > On Thu, 2015-06-18 at 10:30 +1200, Andrew Bartlett wrote:
> > > On Wed, 2015-06-17 at 09:49 -0400, Simo wrote:
> > > > On Wed, 2015-06-17 at 15:38 +0200, Volker Lendecke wrote:
> > > > > On Wed, Jun 17, 2015 at 09:36:00AM -0400, Simo wrote:
> > > > > > On Wed, 2015-06-17 at 08:23 +0200, Volker Lendecke wrote:
> > > > > > > On Wed, Jun 17, 2015 at 05:11:37PM +1200, Andrew Bartlett 
> > > > > > > wrote:
> > > > > > > > In other parts of Samba we just use the generate_random() 
> > > > > > > > 
> > > > > > > > function,
> > > > > > > > which avoids needing to think about all this.  We have 
> > > > > > > > cryptographic
> > > > > > > > random numbers in Samba, we can just use those for this. 
> > > > > > > > 
> > > > > > > > We set up a PRNG using MD4 over a RC4 stream from 40 
> > > > > > > > bytes of 
> > > > > > > > random
> > > > > > > > data.  It isn't the best, but it avoids the bad pattern 
> > > > > > > > of 
> > > > > > > > using
> > > > > > > > srandom() et al, which will just trigger folks either re
> > > > > > > > -using in more
> > > > > > > > important places or alternately writing to us with 
> > > > > > > > 'security' 
> > > > > > > > warnings
> > > > > > > > about using it. 
> > > > > > > 
> > > > > > > Seen from another angle: The BSD world seems to settle on
> > > > > > > the arc4random family of functions. There's a libbsd
> > > > > > > replacement on Linux for those. Shouldn't we get rid of our
> > > > > > > own random number generator and just use that, possibly 
> > > > > > > with
> > > > > > > the libbsd code in libreplace?
> > > > > > 
> > > > > > Why are we not just using urandom ? Why do we want to get in 
> > > > > > the
> > > > > > business of guaranteeing proper random number generation ????
> > > > > 
> > > > > Portability?
> > > > 
> > > > krb5 runs on all platforms and uses cryptographically secure 
> > > > PRNGs
> > > > (urandom on Linux), perhaps we can use that libraries for random 
> > > > number
> > > > generation.
> > > 
> > > That's what I want to do, and have proposed twice now.  I guess I 
> > > need
> > > to come back with a patch :-).  
> > > 
> > > The reason for not just reading every byte from /dev/urandom was to
> > > avoid it being drained excessively - we can use a lot of random 
> > > bytes. 
> > 
> > No problem, /dev/urandom cannot be drained, only /dev/random may be, 
> > and
> > we do not need to use /dev/random.
> 
> We ended up with the current situation because on some build farm
> hosts, we were using a lot of entropy, between buggy parts of the
> libraries samba used (gnutls at the time) that were using /dev/random
> and our own use of /dev/urandom.  So I made it seed the RC4 PRNG and
> use that once we started to ask for more than 40 bytes of random data
> in a process. 
> 
> You are correct that we don't 'drain' urandom, but we do reduce the
> kernel's entropy count and make other non-samba users of /dev/random
> more likely to block.

It's not really our problem is it ?
A ton of applications use urandom, we wouldn't be the only "drainers"


> http://www.2uo.de/myths-about-urandom/
> 
> The compromises here are difficult, see both:
> 
> >From the random(4) manpage:
> 
>        The kernel random-number generator is designed to produce a
> small amount of high-quality seed material  to  seed  a  cryptographic 
>  pseudo-random  number  generator
>        (CPRNG).  It is designed for security, not speed, and is poorly
> suited to generating large amounts of random data.  Users should be
> very economical in the amount of
>        seed material that they read from /dev/urandom (and
> /dev/random); unnecessarily reading large quantities of data from this
> device will have  a  negative  impact  on
>        other users of the device.
> 
> vs 
> 
> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

I am not sure what you are trying to point at, for Samba using urandom
is perfectly fine, there is never a reason to use /dev/random, nor use a
custom CSPRNG when the kernel provides a perfectly good one.

Simo.

-- 
Simo Sorce



More information about the samba-technical mailing list