Having a single, good arc4random in Debian

[Steven Chamberlain <steven@pyro.eu.org>]

Hi,

I think it would be good for Debian to standardise on a single, good
arc4random implementation, available to any application that wants to
use it.

I'd like it to become ubiquitous, on all Debian arches (and eventually
other distributions).  We should ensure applications do find it and use
it, instead of using risky fallbacks like rand(), getpid() and time().
(Scan build logs for "checking.*arc4random" for example).

We could deprecate dozens of code copies, most of them unmaintained,
some having known security flaws that were fixed in later versions.

Looking further ahead, if we want to adopt sandboxing techniques, we
may want alternatives to /dev/urandom or sysctl.  That may be arch-
specific, so it would be great if we only had to implement it in one
library.

The most obvious candidate to me is libbsd, which exports an arc4random
and some other useful things.  It has a permissive license, is very
small and has no external dependencies.  It would be important to make
sure its arc4random is good, but my point it that it is better to have
all eyes and effort concentrated on that one Debian package, than the
current situation.

There may be a POSIX standard agreed someday for posix_random(3) which
could be easily implemented as a wrapper around arc4random or vice-
versa.  [http://austingroupbugs.net/view.php?id=859]

More background information follows.  What do others think about going
in this direction;  the Debian Security Team in particular?  Thanks!


OpenBSD's arc4random has evolved from a bare RC4 stream cipher, to an
(safer?) revision discarding early keystream,  now to ChaCha20.  Its
reseeding methods have been updated to defend against fd exhaustion
or missing /dev/urandom, for lack of a certain sysctl on Linux, adding
fallbacks in case even that doesnt work, and to detect forking (which
has itself been reworked a couple of times after e.g. the getpid flaw
Andrew Ayer reported).

So we have embedded copies of arc4random and getentropy code throughout
the Debian archive, some better than others:

  * in OpenSSH Portable's openbsd-compat/
  * in OpenSMTPD's openbsd-compat/
  * in OpenNTPD's compat/
  * in signify-openbsd's arc4random.c
  * in LibreSSL Portable, if Debian ever has that.

I've been warned to leave those alone, since OpenBSD is responsible for
maintaining those code copies, and I expect they will do a good job of
that.  But I'm more concerned about:

  * getdns recently put copies in src/compat/
  * libevent has a copy of old arc4random.c
  * libdumbnet has it in src/rand.c
  * epic5 has it in source/compat.c
  * isakmpd has it in sysdep/common/libsysdep/arc4random.c
  * gtk-gnutella has it in src/lib/arc4random.c
  * rdate has it in src/arc4random.c
  * pure-ftpd has it in src/alt_arc4random.c
  * samhain embeds it inline in src/dnmalloc.c
  * newlib has one in winsup/cygwin/libc/arc4random.cc, likely unused
  * ntp has a copy of old arc4random in sntp/libevent/arc4random.c
    (embedded code from OpenBSD within embedded copy of libevent)
  * icedove has the same thing in
    mozilla/ipc/chromium/src/third_party/libevent/arc4random.c
  * dnscrypt-proxy has it in src/libevent-modified/arc4random.c
  * cargo has an embedded copy of libressl sources having
    libressl/crypto/compat/arc4random.c

And then there are situations where applications do... less desirable
things when they don't have a good arc4random available.

  * librpcsecgss has this gem in clnttcp_create()/clntudp_bufcreate(),
    I hope it's nothing too important:

https://codesearch.debian.net/results/arc4random%20package%3Alibrpcsecgss/page_0
#if defined (__linux__) || defined(__GLIBC__)
        call_msg.rm_xid = getpid() ^ now.tv_sec ^ now.tv_usec;
#else
        call_msg.rm_xid = arc4random();
#endif

  * mediatomb does something similar:
https://sources.debian.net/src/mediatomb/0.12.1-47-g7ab7616-1/tombupnp/threadutil/src/ThreadPool.c/?hl=376#L375

  * qtwebkit-opensource-src calls currentTime()*10000 an EntropySource:
https://sources.debian.net/src/qtwebkit-opensource-src/5.5.1%2Bdfsg-2/Source/WTF/wtf/FastMalloc.cpp/?hl=523#L523

  * qtwebkit even has a comment that "ASLR currently only works on
    darwin (due to arc4random)", applies to openjfx also:
https://sources.debian.net/src/qtwebkit/2.3.4.dfsg-6/Source/WTF/wtf/OSAllocatorPosix.cpp/?hl=107#L94

  * istgt falls back from arc4random() > srandomdev() > pid XOR time:
https://sources.debian.net/src/istgt/0.4~20111008-3/src/istgt_misc.c/?hl=489#L469

  * exim4 does the same thing:
https://sources.debian.net/src/exim4/4.86-7/src/expand.c/?hl=970#L947

  * opendnssec falls back to random():
https://sources.debian.net/src/opendnssec/1:1.4.8.2-1/signer/src/shared/duration.c/?hl=427#L424

  * ucarp too:
https://sources.debian.net/src/ucarp/1.5.2-2/src/carp.c/?hl=232#L231

  * belle-sip too:
https://sources.debian.net/src/belle-sip/1.4.1-1/src/dns.c/?hl=353#L353

  * nsd too:
https://sources.debian.net/src/nsd/4.1.7-1/util.c/?hl=914#L914

  * syrep too, "I hope this is random enough":
https://sources.debian.net/src/syrep/0.9-4.2/src/mkdtemp.c/?hl=39#L39

  * linux-ftpd too:
https://sources.debian.net/src/linux-ftpd/0.17-35/ftpd/ftpd.c/?hl=1130#L1129

  * apr too:
https://sources.debian.net/src/apr/1.5.2-3/file_io/unix/mktemp.c/?hl=70#L70

  * isomaster too:
https://sources.debian.net/src/isomaster/1.3.13-1/editfile.c/?hl=512#L517

  * nsd too:
https://sources.debian.net/src/nsd/4.1.7-1/server.c/?hl=908#L908

  * polarssl falls back to rand()!  Only for testsuite I think.
https://sources.debian.net/src/polarssl/1.3.9-2.1/library/rsa.c/?hl=1520#L1520

  * bind9 uses rand(), seeded by pid XOR time:
https://sources.debian.net/src/bind9/1:9.9.5.dfsg-9/lib/isc/random.c/?hl=98#L76

  * mediatomb too:
https://sources.debian.net/src/mediatomb/0.12.1-47-g7ab7616-1/tombupnp/threadutil/src/ThreadPool.c/?hl=376#L378

  * mcabber too, only seeded by time():
https://sources.debian.net/src/mcabber/0.10.2-1/mcabber/xmpp.c/?hl=1872#L1871

  * libxdmcp too:
https://sources.debian.net/src/libxdmcp/1:1.1.2-1.1/Key.c/?hl=77#L68

  * wdm too:
https://sources.debian.net/src/wdm/1.28-18/src/wdm/genauth.c/?hl=108#L108

  * cln too:
https://sources.debian.net/src/cln/1.3.4-1/src/base/random/cl_random_from.cc/?hl=95#L85

  * libice too, seems risky:
https://sources.debian.net/src/libice/2:1.0.9-1/src/iceauth.c/?hl=68#L68

  * llvm-toolchain-3.6 has slightly better fallback for lack of
    arc4random():
https://sources.debian.net/src/llvm-toolchain-3.6/1:3.6.2-3/lib/Support/Unix/Process.inc/?hl=444#L422

  * nmh does the same in sbr/m_rand.c

  * pgbouncer has its own embededded Keccak or ChaCha20 as fallback for
    lack of arc4random, and its own fallback for lack of getentropy:
https://sources.debian.net/src/pgbouncer/1.7-1/lib/usual/crypto/csrandom.c/#L48

  * vnc4 falls back to /dev/urandom but doesn't look robust in case it
    can't be opened/read:
https://sources.debian.net/src/vnc4/4.1.1%2BX4.3.0-37.6/unix/xc/programs/xdm/genauth.c/?hl=118#L118

  * php7.0 also tries the getrandom syscall proposed for POSIX:
https://sources.debian.net/src/php7.0/7.0.1-1/ext/standard/random.c/?hl=96#L95

  * libsodium too:
https://sources.debian.net/src/libsodium/1.0.3-1/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c/?hl=52#L267

  * openssl uses the strong arc4random on OpenBSD, otherwise falls back
    to something that has been... problematic before in Debian.

... you get the idea.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Attachment: signature.asc
Description: Digital signature