From: Paul Eggert <eggert@cs.ucla.edu>
To: Eli Zaretskii <eliz@gnu.org>
Cc: rcopley@gmail.com, 22202@debbugs.gnu.org, deng@randomsample.de
Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Date: Mon, 18 Jan 2016 12:50:12 -0800 [thread overview]
Message-ID: <569D5004.5080701@cs.ucla.edu> (raw)
In-Reply-To: <83fuxuevs2.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 2551 bytes --]
Eli Zaretskii wrote:
> I wish we'd discuss such things before committing and not after.
Sorry, I missed the part of the discussion that talked about reading
/dev/urandom in the first place.
> . I see nothing wrong with having 2 (or more) independent reads from
> /dev/urandom:
It's one more thing to worry about when auditing an Emacs trace. Also, it's two
file descriptors (both open at the same time) when we can get by with just one.
> . GnuTLS is a separate library, so it's free to do that for its
> own purposes; we shouldn't care.
Yes and no. Yes, we shouldn't care how GnuTLS gets entropy; and no, because if
GnuTLS is available we should be better off using its entropy source than
rolling our own. The GnuTLS guys are far more expert in this stuff; why reinvent
the wheel? And if the GnuTLS entropy source is busted, Emacs is already insecure
in dozens of important ways, so using that source here shouldn't make matters
significantly worse.
> Besides, what if tomorrow
> there will be a 3rd library that would need to access
> /dev/urandom?
Not our problem. As you say, libraries are free to do that for their own
purposes, and we shouldn't care.
> . GnuTLS is a library for TLS, not for cryptography.
GnuTLS is not just for TLS, it's for secure communications. Getting a nonce is a
basic building block for such a library. They're not going to remove a basic
building block.
> What if tomorrow GnuTLS changes its implementation?
That's fine. We don't need to know the details of how GnuTLS gets its nonces.
For example, if it starts using the RDRAND instruction available on Ivy Bridge
and later Intel processors, more power to them. We shouldn't care.
> . This change means that we now load GnuTLS at startup, even if no
> TLS connections are or will be used.
That's already true on GNU and POSIXish platforms, so it's not a problem there.
It is an issue on MS-Windows, though, so your change to avoid GnuTLS here on
MS-Windows makes sense.
> Why is it suddenly a concern that users will know that we use time and
> PID as fallback?
Merely because we're in the neighborhood anyway and it's the first time I
noticed that this detail was documented. The detail doesn't belong in the
documentation; Emacs shouldn't promise that it'll use the PID, for example.
One other thing, while we're nearby: the doc shouldn't assume that readers know
that time-of-day etc. is less random.
How about the attached patch? It should address these documentation concerns.
[-- Attachment #2: t.diff --]
[-- Type: text/x-diff, Size: 1316 bytes --]
diff --git a/doc/lispref/numbers.texi b/doc/lispref/numbers.texi
index 3a9483a..28eb6b1 100644
--- a/doc/lispref/numbers.texi
+++ b/doc/lispref/numbers.texi
@@ -1252,9 +1252,9 @@ Random Numbers
(@pxref{Integer Basics}).
If @var{limit} is @code{t}, it means to choose a new seed as if Emacs
-were restarting. The new seed will be set from the system entropy, if
-that is available, or from the current time and Emacs process's PID
-(@pxref{System Environment, emacs-pid}) if not.
+were restarting, typically from the system entropy. On systems
+lacking entropy pools, choose the seed from less-random volatile data
+such as the current time.
If @var{limit} is a string, it means to choose a new seed based on the
string's contents.
diff --git a/src/fns.c b/src/fns.c
index 19fa440..86ad333 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -51,7 +51,7 @@ and `most-positive-fixnum', inclusive, are equally likely.
With positive integer LIMIT, return random number in interval [0,LIMIT).
With argument t, set the random number seed from the system's entropy
-pool, or from the current time and pid if entropy is unavailable.
+pool if available, otherwise from less-random volatile data such as the time.
With a string argument, set the seed based on the string's contents.
Other values of LIMIT are ignored.
next prev parent reply other threads:[~2016-01-18 20:50 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 10:05 bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Demetri Obenour
2015-12-18 10:46 ` Eli Zaretskii
2015-12-29 15:36 ` Richard Copley
2015-12-29 16:21 ` Eli Zaretskii
2015-12-29 17:44 ` Richard Copley
2015-12-29 20:00 ` David Engster
2015-12-29 21:22 ` Richard Copley
2015-12-29 22:02 ` David Engster
2015-12-29 23:13 ` Richard Copley
2015-12-30 15:58 ` Eli Zaretskii
2015-12-30 20:47 ` Richard Copley
2015-12-30 20:56 ` Richard Copley
2015-12-30 20:56 ` Eli Zaretskii
2015-12-30 21:15 ` Richard Copley
2015-12-31 14:14 ` Eli Zaretskii
2015-12-31 17:04 ` Demetrios Obenour
2015-12-31 17:24 ` Eli Zaretskii
2015-12-31 17:47 ` Richard Copley
2015-12-31 18:22 ` Eli Zaretskii
2015-12-31 19:20 ` Eli Zaretskii
2015-12-31 19:49 ` Richard Copley
2015-12-31 20:13 ` Eli Zaretskii
2015-12-31 20:44 ` Richard Copley
2016-01-15 9:55 ` Eli Zaretskii
2016-01-17 20:26 ` Paul Eggert
2016-01-18 1:42 ` Paul Eggert
2016-01-18 14:40 ` Richard Copley
2016-01-18 16:05 ` Eli Zaretskii
2016-01-18 16:20 ` Richard Copley
2016-01-18 15:45 ` Eli Zaretskii
2016-01-18 20:50 ` Paul Eggert [this message]
2016-01-18 21:09 ` Eli Zaretskii
2016-01-19 5:34 ` Paul Eggert
2016-01-19 16:24 ` Eli Zaretskii
2016-01-19 17:03 ` John Wiegley
2016-01-19 17:38 ` Paul Eggert
2016-01-19 18:44 ` Eli Zaretskii
2016-01-19 17:07 ` Paul Eggert
2016-01-19 18:16 ` Eli Zaretskii
2016-01-20 0:39 ` Paul Eggert
2016-01-18 12:04 ` Andy Moreton
2016-01-18 15:57 ` Eli Zaretskii
2016-01-18 23:03 ` John Wiegley
2016-01-19 21:48 ` Andy Moreton
2016-01-20 3:31 ` Glenn Morris
2016-01-20 14:06 ` Andy Moreton
2016-01-20 14:12 ` Eli Zaretskii
2016-01-20 15:15 ` Andy Moreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569D5004.5080701@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=22202@debbugs.gnu.org \
--cc=deng@randomsample.de \
--cc=eliz@gnu.org \
--cc=rcopley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).