OpenSSL randomness seeding

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: OpenSSL randomness seeding
Date: 2020-07-21 12:13:32
Message-ID: 9B038FA5-23E8-40D0-B932-D515E1D8F66A@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

After forking we call RAND_cleanup in fork_process.c to force a re-seed to
ensure that two backends cannot share sequence. OpenSSL 1.1.0 deprecated
RAND_cleanup, and contrary to how they usually leave deprecated APIs working
until removed, they decided to silently make this call a noop like below:

# define RAND_cleanup() while(0) continue

This leaves our defence against pool sharing seemingly useless, and also
against the recommendations of OpenSSL for versions > 1.1.0 and < 1.1.1 where
the RNG was rewritten:

https://wiki.openssl.org/index.php/Random_fork-safety

The silver lining here is that while OpenSSL nooped RAND_cleanup, they also
changed what is mixed into seeding so we are still not sharing a sequence. To
fix this, changing the RAND_cleanup call to RAND_poll should be enough to
ensure re-seeding after forking across all supported OpenSSL versions. Patch
0001 implements this along with a comment referencing when it can be removed
(which most likely won't be for quite some time).

Another thing that stood out when reviewing this code is that we optimize for
RAND_poll failing in pg_strong_random, when we already have RAND_status
checking for a sufficiently seeded RNG for us. ISTM that we can simplify the
code by letting RAND_status do the work as per 0002, and also (while unlikely)
survive any transient failures in RAND_poll by allowing all the retries we've
defined for the loop.

Also, as a disclaimer, this was brought up with the PostgreSQL security team
first whom have given permission to discuss this in public.

Thoughts on these?

cheers ./daniel

Attachment Content-Type Size
0002-Remove-optimization-for-RAND_poll-failing.patch application/octet-stream 1.6 KB
0001-Use-RAND_poll-for-seeding-randomness-after-fork.patch application/octet-stream 1.1 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2020-07-21 12:22:05 Re: Postgres-native method to identify if a tuple is frozen
Previous Message Daniel Gustafsson 2020-07-21 11:57:11 Comment referencing incorrect algorithm