From: Paul Eggert <eggert@cs.ucla.edu>
To: Eli Zaretskii <eliz@gnu.org>, John Wiegley <johnw@gnu.org>
Cc: rcopley@gmail.com, 22202@debbugs.gnu.org, deng@randomsample.de
Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Date: Tue, 19 Jan 2016 09:07:15 -0800 [thread overview]
Message-ID: <569E6D43.5080705@cs.ucla.edu> (raw)
In-Reply-To: <83y4blbkrj.fsf@gnu.org>
On 01/19/2016 08:24 AM, Eli Zaretskii wrote:
> So it's a bug or misfeature in GnuTLS.
GnuTLS has been operating that way for a while, and it works. Calling
its behavior a "bug or misfeature" seems a stretch.
If we change Emacs back to always read /dev/urandom by hand as well has
have GnuTLS read /dev/urandom at startup, this will cause Emacs to
exhaust the GNU/Linux entropy pool more quickly. This may slow down
other programs that read /dev/random (a device that blocks until entropy
is available). So there is an overall system benefit to minimizing the
use of /dev/urandom, which was the point of my original patch.
>> If Emacs opens /dev/urandom independently it can have two file descriptors open to the same file. Yes, it's not a huge deal performance-wise; but it is strange, and when doing security audits it will be one more thing to explain.
> GnuTLS guys need to explain this, not us.
Any explanation they come up with will have to be part of our
explanation, since we're responsible for Emacs. Our explanation will
also have to cover Emacs's added accesses, so minimizing them will be a win.
>> But where we need to seed our own PRNG, we better had a good idea of
>> what we do and what kind of randomness we get.
>>
>> Any worries we might have about GnuTLS's randomness apply with equal force to /dev/urandom's. After all, /dev/urandom is not guaranteed to be random.
> No, /dev/urandom is random enough for our purposes.
In that case GnuTLS's nonce generator is random enough for our purposes,
and we have a good idea of what kind of randomness we get.
>
>> Really, though, if we can't trust GnuTLS to give us random data, we should not trust it for communications security at all. Nonces are that basic.
> We could stop trusting GnuTLS for communications security, but we
> still need the secure random seed for server-start.
If we stop trusting or using GnuTLS, the code will still get a secure
random seed by hand, so that's not a problem. But currently we do trust
and use GnuTLS by default, and there are no plans to change this.
> We have what we need; calling gnutls_rnd changes nothing in this
> regard. It's just a more complex way of issuing the same system calls.
They are not the same system calls. If they were the same, you would be
right and we shouldn't bother with GnuTLS here. They are different
sequences of system calls, and the sequence that uses GnuTLS lessens
entropy consumption and simplifies audits.
next prev parent reply other threads:[~2016-01-19 17:07 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 10:05 bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Demetri Obenour
2015-12-18 10:46 ` Eli Zaretskii
2015-12-29 15:36 ` Richard Copley
2015-12-29 16:21 ` Eli Zaretskii
2015-12-29 17:44 ` Richard Copley
2015-12-29 20:00 ` David Engster
2015-12-29 21:22 ` Richard Copley
2015-12-29 22:02 ` David Engster
2015-12-29 23:13 ` Richard Copley
2015-12-30 15:58 ` Eli Zaretskii
2015-12-30 20:47 ` Richard Copley
2015-12-30 20:56 ` Richard Copley
2015-12-30 20:56 ` Eli Zaretskii
2015-12-30 21:15 ` Richard Copley
2015-12-31 14:14 ` Eli Zaretskii
2015-12-31 17:04 ` Demetrios Obenour
2015-12-31 17:24 ` Eli Zaretskii
2015-12-31 17:47 ` Richard Copley
2015-12-31 18:22 ` Eli Zaretskii
2015-12-31 19:20 ` Eli Zaretskii
2015-12-31 19:49 ` Richard Copley
2015-12-31 20:13 ` Eli Zaretskii
2015-12-31 20:44 ` Richard Copley
2016-01-15 9:55 ` Eli Zaretskii
2016-01-17 20:26 ` Paul Eggert
2016-01-18 1:42 ` Paul Eggert
2016-01-18 14:40 ` Richard Copley
2016-01-18 16:05 ` Eli Zaretskii
2016-01-18 16:20 ` Richard Copley
2016-01-18 15:45 ` Eli Zaretskii
2016-01-18 20:50 ` Paul Eggert
2016-01-18 21:09 ` Eli Zaretskii
2016-01-19 5:34 ` Paul Eggert
2016-01-19 16:24 ` Eli Zaretskii
2016-01-19 17:03 ` John Wiegley
2016-01-19 17:38 ` Paul Eggert
2016-01-19 18:44 ` Eli Zaretskii
2016-01-19 17:07 ` Paul Eggert [this message]
2016-01-19 18:16 ` Eli Zaretskii
2016-01-20 0:39 ` Paul Eggert
2016-01-18 12:04 ` Andy Moreton
2016-01-18 15:57 ` Eli Zaretskii
2016-01-18 23:03 ` John Wiegley
2016-01-19 21:48 ` Andy Moreton
2016-01-20 3:31 ` Glenn Morris
2016-01-20 14:06 ` Andy Moreton
2016-01-20 14:12 ` Eli Zaretskii
2016-01-20 15:15 ` Andy Moreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569E6D43.5080705@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=22202@debbugs.gnu.org \
--cc=deng@randomsample.de \
--cc=eliz@gnu.org \
--cc=johnw@gnu.org \
--cc=rcopley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).