From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Date: Sun, 17 Jan 2016 12:26:31 -0800 Organization: UCLA Computer Science Department Message-ID: <569BF8F7.3090904@cs.ucla.edu> References: <87h9jg5ay2.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------040009080301020704010803" X-Trace: ger.gmane.org 1453062443 16507 80.91.229.3 (17 Jan 2016 20:27:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 17 Jan 2016 20:27:23 +0000 (UTC) Cc: Richard Copley , 22202@debbugs.gnu.org, demetriobenour@gmail.com, deng@randomsample.de To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jan 17 21:27:13 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aKtuq-0006lH-I6 for geb-bug-gnu-emacs@m.gmane.org; Sun, 17 Jan 2016 21:27:12 +0100 Original-Received: from localhost ([::1]:55816 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aKtup-000107-SN for geb-bug-gnu-emacs@m.gmane.org; Sun, 17 Jan 2016 15:27:11 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50814) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aKtuk-0000yG-FX for bug-gnu-emacs@gnu.org; Sun, 17 Jan 2016 15:27:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aKtug-00059T-CQ for bug-gnu-emacs@gnu.org; Sun, 17 Jan 2016 15:27:06 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:35615) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aKtug-00059O-8r for bug-gnu-emacs@gnu.org; Sun, 17 Jan 2016 15:27:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aKtug-0006U0-2z for bug-gnu-emacs@gnu.org; Sun, 17 Jan 2016 15:27:02 -0500 X-Loop: help-debbugs@gnu.org In-Reply-To: <87h9jg5ay2.fsf@gmail.com> Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 17 Jan 2016 20:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22202 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 22202-submit@debbugs.gnu.org id=B22202.145306240224888 (code B ref 22202); Sun, 17 Jan 2016 20:27:02 +0000 Original-Received: (at 22202) by debbugs.gnu.org; 17 Jan 2016 20:26:42 +0000 Original-Received: from localhost ([127.0.0.1]:52068 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aKtuM-0006TM-G6 for submit@debbugs.gnu.org; Sun, 17 Jan 2016 15:26:42 -0500 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:50303) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aKtuJ-0006T8-UV for 22202@debbugs.gnu.org; Sun, 17 Jan 2016 15:26:40 -0500 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 29EFC160017; Sun, 17 Jan 2016 12:26:34 -0800 (PST) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id QuoanrGMKAiC; Sun, 17 Jan 2016 12:26:32 -0800 (PST) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B3398160544; Sun, 17 Jan 2016 12:26:32 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jrFh3lMhKwGK; Sun, 17 Jan 2016 12:26:32 -0800 (PST) Original-Received: from [192.168.1.9] (pool-100-32-155-148.lsanca.fios.verizon.net [100.32.155.148]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 7D3DE160017; Sun, 17 Jan 2016 12:26:32 -0800 (PST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:111684 Archived-At: This is a multi-part message in MIME format. --------------040009080301020704010803 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Eli, thanks for improving the initial seed for (random t) in Emacs. I noticed that with this change, my Emacs was opening /dev/urandom twice, because GnuTLS does something similar during startup. Also, it was reading more data from /dev/urandom than it needed, due to stdio buffering. So I installed the attached patch, which defers to GnuTLS and falls back on doing things by hand (without stdio) only if GnuTLS is not available or fails. I assume this approach works under MS-Windows; if not please let me know and I'll try to fix it. Would you mind if I removed the newly-added details about current time and process ID from the documentation? The idea is that this is internal implementation detail that users should not rely on. --------------040009080301020704010803 Content-Type: text/x-diff; name="0001-Prefer-GnuTLS-when-acquiring-random-seed.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-Prefer-GnuTLS-when-acquiring-random-seed.patch" >From 05e8148a24ebe51fbe758dd16265e8fb81f85953 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sun, 17 Jan 2016 12:12:08 -0800 Subject: [PATCH] Prefer GnuTLS when acquiring random seed This attempts to improve on the fix for Bug#22202. * configure.ac (HAVE_DEV_URANDOM): Remove. Check /dev/urandom existence at run time, not at build time, since the device could exist in the former but not the latter. * src/sysdep.c [HAVE_GNUTLS]: Include gnutls/gnutls.h. (gnutls_rnd) [GNUTLS_VERSION_NUMBER < 0x020c00]: New fallback macro. (random_seed): New typedef. (set_random_seed): New static function. (seed_random): Use them. (init_random): Use random_seed instead of uintmax_t, so as to not consume more entropy than needed. Prefer gnutls_rnd if it works; this avoids a redundant open of /dev/urandom on GNU/Linux with modern GnuTLS. --- configure.ac | 16 ------------ src/sysdep.c | 85 ++++++++++++++++++++++++++++++------------------------------ 2 files changed, 43 insertions(+), 58 deletions(-) diff --git a/configure.ac b/configure.ac index 6c9b621..8c01aba 100644 --- a/configure.ac +++ b/configure.ac @@ -4153,22 +4153,6 @@ fi AC_TYPE_MBSTATE_T -AC_MSG_CHECKING([whether "/dev/urandom" is available]) -dev_urandom=no -dnl MSYS, being a Cygwin fork, thinks "/dev/urandom" does exist, so -dnl don't check this for the MinGW builds. -if test "${opsys}" != "mingw32"; then - if test -r "/dev/urandom"; then - AC_DEFINE(HAVE_DEV_URANDOM, 1, [Define if the system supports the "/dev/urandom" device.]) - dev_urandom=yes - fi -fi -if test $dev_urandom = yes; then - AC_MSG_RESULT(yes) -else - AC_MSG_RESULT(no) -fi - dnl Fixme: AC_SYS_POSIX_TERMIOS should probably be used, but it's not clear dnl how the tty code is related to POSIX and/or other versions of termios. dnl The following looks like a useful start. diff --git a/src/sysdep.c b/src/sysdep.c index 1fa4229..635443c 100644 --- a/src/sysdep.c +++ b/src/sysdep.c @@ -99,6 +99,15 @@ along with GNU Emacs. If not, see . */ #include "process.h" #include "cm.h" +#ifdef HAVE_GNUTLS +# include +#endif +#if 0x020c00 <= GNUTLS_VERSION_NUMBER +# include +#else +# define gnutls_rnd(level, data, len) (-1) +#endif + #ifdef WINDOWSNT #include /* In process.h which conflicts with the local copy. */ @@ -2068,63 +2077,55 @@ init_signals (bool dumping) # endif /* !HAVE_RANDOM */ #endif /* !RAND_BITS */ +#ifdef HAVE_RANDOM +typedef unsigned int random_seed; +static void set_random_seed (random_seed arg) { srandom (arg); } +#elif defined HAVE_LRAND48 +/* Although srand48 uses a long seed, this is unsigned long to avoid + undefined behavior on signed integer overflow in init_random. */ +typedef unsigned long int random_seed; +static void set_random_seed (random_seed arg) { srand48 (arg); } +#else +typedef unsigned int random_seed; +static void set_random_seed (random_seed arg) { srand (arg); } +#endif + void seed_random (void *seed, ptrdiff_t seed_size) { -#if defined HAVE_RANDOM || ! defined HAVE_LRAND48 - unsigned int arg = 0; -#else - long int arg = 0; -#endif + random_seed arg = 0; unsigned char *argp = (unsigned char *) &arg; unsigned char *seedp = seed; - ptrdiff_t i; - for (i = 0; i < seed_size; i++) + for (ptrdiff_t i = 0; i < seed_size; i++) argp[i % sizeof arg] ^= seedp[i]; -#ifdef HAVE_RANDOM - srandom (arg); -#else -# ifdef HAVE_LRAND48 - srand48 (arg); -# else - srand (arg); -# endif -#endif + set_random_seed (arg); } void init_random (void) { - uintmax_t v; - struct timespec t; - bool success = false; - -#if HAVE_DEV_URANDOM - FILE *fp = fopen ("/dev/urandom", "rb"); - - if (fp) + random_seed v; + if (gnutls_rnd (GNUTLS_RND_NONCE, &v, sizeof v) != 0) { - int i; - - for (i = 0, v = 0; i < sizeof (uintmax_t); i++) + bool success = false; +#ifndef WINDOWSNT + int fd = emacs_open ("/dev/urandom", O_RDONLY | O_BINARY, 0); + if (0 <= fd) { - v <<= 8; - v |= fgetc (fp); + success = emacs_read (fd, &v, sizeof v) == sizeof v; + emacs_close (fd); + } +#else + success = w32_init_random (&v, sizeof v) == 0; +#endif + if (! success) + { + /* Fall back to current time value + PID. */ + struct timespec t = current_timespec (); + v = getpid () ^ t.tv_sec ^ t.tv_nsec; } - fclose (fp); - success = true; - } -#elif defined WINDOWSNT - if (w32_init_random (&v, sizeof v) == 0) - success = true; -#endif /* HAVE_DEV_URANDOM || WINDOWSNT */ - if (!success) - { - /* Fall back to current time value + PID. */ - t = current_timespec (); - v = getpid () ^ t.tv_sec ^ t.tv_nsec; } - seed_random (&v, sizeof v); + set_random_seed (v); } /* -- 2.5.0 --------------040009080301020704010803--