| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pgcrypto seeding problem when ssl=on |
| Date: | 2013-02-09 18:23:12 |
| Message-ID: | 20130209182312.GA30038@tornado.leadboat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jan 13, 2013 at 07:01:07PM -0500, Noah Misch wrote:
> On Sun, Jan 13, 2013 at 05:46:12PM -0500, Tom Lane wrote:
> > Marko Kreen <markokr(at)gmail(dot)com> writes:
> > > On Fri, Dec 21, 2012 at 10:27 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> > >> How about instead calling RAND_cleanup() after each backend fork?
> >
> > > Attached is a patch that adds RAND_cleanup() to fork_process().
> >
> > I remain unconvinced that this is the best solution. Anybody else have
> > an opinion?
>
> I'd describe it as the clearly-secure solution. The biggest hazard I see is
> the drain on system entropy. A system having only a blocking /dev/random
> could suddenly find itself entropy-exhausted after installing the minor
> upgrade. Backends could block waiting for system entropy to accumulate.
> That's not directly a problem on Linux. However, if other programs on the
> system read from /dev/random, the pressure from PostgreSQL's /dev/urandom
> usage may make those programs wait longer for entropy.
>
> I'm also comfortable with the security of Marko's original proposal, modulo it
> happening in each backend shortly after fork, not merely in pgcrypto.
> OpenSSL's ssl module uses a similar method, and one of the papers I cited
> describes it. (If anything, OpenSSL is less cautious. It uses time(), not
> gettimeofday().) The performance characteristics of this approach are easier
> to guess: one system call if we use MyProcPid + gettimeofday(), zero if we use
> MyProcPid + MyStartTime.
>
> You proposed mixing gettimeofday() into the postmaster's entropy pool after
> each fork. I wouldn't be too concerned if we did it that way, but my quick
> literature review did not turn up any similar ideas. Given that this is
> strictly more expensive than the previous method, I don't recommend it.
>
> Overall, I'd recommend mixing in MyProcPid and MyStartTime after each fork.
I neglected to ping this for the last back-branch releases. May we adopt one
of the above fixes and issue a CVE with the next releases? Though I've stated
my preference, all three proposals would be major improvements over the
present, quietly-vulnerable state.
Thanks,
nm
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2013-02-09 18:30:17 | Re: Re: proposal: a width specification for s specifier (format function), fix behave when positional and ordered placeholders are used |
| Previous Message | Tom Lane | 2013-02-09 17:19:09 | Re: Patch: log level change in gistsplit.c |