[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
arc4random and chroot [was Re: [Libevent-users] Fun facts about Libevent 2.0.4-alpha]
- To: libevent-users@xxxxxxxxxxxxx
- Subject: arc4random and chroot [was Re: [Libevent-users] Fun facts about Libevent 2.0.4-alpha]
- From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
- Date: Thu, 4 Mar 2010 01:22:28 -0500
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: libevent-users-outgoing@xxxxxxxx
- Delivered-to: libevent-users@xxxxxxxx
- Delivery-date: Thu, 04 Mar 2010 01:22:38 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Oz0beqUrlTw3NQzcqZylvaTOYdW9JIv7u31pxU99Zbc=; b=VII3yEy0L9I2+i/Lva57wgnuMArB5beBwvBmPVx+mTGP8/iwyqAC9KAsi9kmZWR9oa DRCcEgWRETuY9YxwYwz9ErlqrTctLpoUsqyYSEWA81uZ0Nqqfo/iAwlydE9tZRSdtPBI qkDTAWM4Q/i2EyXywsiwCeYMYjiaLw5kwjbWE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; b=BTGJGXKbbMyzXsaAZt6LO2905SBAS5bn7SvWkVtWVNpzFzY2NZi5xYHXT7kdppFkNZ Qo2MeUv2pL9opalMnJN+PbMRs2Vtn77beuwaigqoBoakcwaqxhFYmszCpetngnO+otFm 33JXDPnTQnGSAN6MwObLLc1bnkXgb4HaMIwpI=
- Reply-to: libevent-users@xxxxxxxxxxxxx
- Sender: owner-libevent-users@xxxxxxxxxxxxx
On Wed, Mar 3, 2010 at 6:08 PM, William Ahern
<william@xxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Mar 03, 2010 at 04:38:59PM -0500, Nick Mathewson wrote:
>>
>> * Libevent now uses a secure PRNG for the entropy that evdns needs to
>> be secure. This is arc4random() on platforms that provide it, and our
>> own copy of arc4random() on platforms that don't. You no longer need
>> to replace the evdns transaction ID or random_bytes functions for
>> security.
>>
>
> I noticed that the compat version will expect to open a /dev randomness
> device to stir. But this looks like it will fail for daemons which chroot. A
> quick grep looks like arc4random_stir() isn't called anywhere (i.e. from a
> libevent init routine).
>
> Two possible solution:
>
> (1) call arc4random_stir() from something which it is reasonable to expect
> the application to call before chroot'ing.
>
> and/or
>
> (2) as Linux is probably by far the most common environment for libevent,
> first try to grab bytes from sysctl. here's the relevant snippet from my own
> portable arc4random implemention:
I'm not sure that the first approach is feasible; if you're using
libevent and chrooting, there really is no Libevent function that
you're guaranteed to call before a chroot. I've decided to go with a
mixed approach based on your 2 and an additional 3.
(2') Try the Linux sysctl as well as the OpenBSD sysctl as well as
/dev/urandom on Unix boxen (where chroot matters).
(3) Tell people that if they need to chroot and they need to use
libevent in a way that requires a strong RNG, they need to initialize
the RNG before they chroot. They can do this by calling
evutil_secure_rng_init() and checking that the return value is zero.
I've implemented both of these in a git branch called "arc4seed" at my
personal repository at git://github.com/nmathewson/Libevent.git .
Please have a look and let me know what you think? I've only tried it
out on my Linux desktop; the BSD code (which uses the KERN_ARAND
syscall) might need some love, and I might even have broken the
windows stuff somehow.
yrs,
--
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users in the body.