Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unconditionally use libc::getrandom on Illumos and libc::geentropy on Solaris #417

Merged
merged 2 commits into from
May 5, 2024

Conversation

josephlr
Copy link
Member

@josephlr josephlr commented May 2, 2024

Fixes #413

Also removes the use of GRND_RANDOM, which appears to be based on outdated staements about the RNGs. For Solaris, see this blog post. For Illumos, the algorithms are less clear, but I don't see a clear reason to continue using GRND_RANDOM.

I updated the documentation in getrandom.rs to full document this decision and to have a common place listing when getrandom(2) became avalible on each platform. I also updated the main lib.rs docs to point to the correct man pages.

Note that Solaris 11.3 has a maximum buffer length of 1024 bytes, while Illumos doesn't have this sort of issue.

@josephlr josephlr requested a review from newpavlov May 2, 2024 07:50
src/getrandom.rs Outdated Show resolved Hide resolved
src/getrandom.rs Outdated Show resolved Hide resolved
src/getrandom.rs Outdated Show resolved Hide resolved
src/getrandom.rs Outdated Show resolved Hide resolved
Also removes the use of `GRND_RANDOM`, which appears to be based on
outdated staements about the RNGs. For Solaris, see
[this blog post](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2).
For Illumos, the algorithms are less clear, but I don't see a clear
reason to continue using `GRND_RANDOM`.

I updated the documentation in `getrandom.rs` to full document this
decision and to have a common place listing when `getrandom(2)` became
avalible on each platform. I also updated the main lib.rs docs to point
to the correct man pages.

Note that Solaris 11.3 has a maximum buffer length of 1024 bytes,
while Illumos doesn't have this sort of issue.

Signed-off-by: Joe Richey <[email protected]>
@jclulow
Copy link

jclulow commented May 2, 2024

Seems reasonable from an illumos perspective, with a small nit: we don't capitalise the "i" in illumos when it appears in print. Thanks!

@newpavlov
Copy link
Member

@josephlr
I've switched Soalris to the getentropy backend and tweaked some docs. If you do not have any other changes in mind, I think we can merge this PR.

@newpavlov newpavlov changed the title Unconditionally use libc::getrandom on Illumos and Solaris Unconditionally use libc::getrandom on Illumos and libc::geentropy on Solaris May 3, 2024
@newpavlov newpavlov merged commit 924c88d into rust-random:master May 5, 2024
51 checks passed
@newpavlov newpavlov mentioned this pull request May 5, 2024
@josephlr josephlr deleted the solaris branch May 6, 2024 05:53
@josephlr
Copy link
Member Author

josephlr commented May 6, 2024

Thanks for merging this (and sorry for not being responsive).

Per Solaris docs:

This means this is not an acceptable calling sequence: (void) getrandom(&buf, sizeof (buf), 0);

Maybe keep Solaris code in a separate module for now, since it's the only target with MAX_BYTES and zero flag idiosyncrasies? IIUC we will need to use GRND_NONBLOCK and if it returns EAGAIN wait on GRND_RANDOM.

@newpavlov after rereading the solaris documentation, I think we misread things. That comment isn't saying "passing 0 for flags can be insecure during early boot". It's saying "you need to check the return value to make sure the buffer actually got filled with random bytes" (which we obviously do). Furthermore, the following line from the man page seems to suggest that this function behaves correctly during early boot:

If no entropy is available in the pool, the getrandom() function will block

There's also the following comment from the blog post introducing getrandom() and getentropy()

On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation. It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

Given this, should we use getrandom(2) on Solaris (with the additional max buffer logic)?

josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and
`getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we ever use `getentropy(2)`
  - Why we don't ever set `GRND_RANDOM`

Signed-off-by: Joe Richey <[email protected]>
@newpavlov
Copy link
Member

@josephlr
It looks you are right, though it's a bit concerning that all "correct" examples use GRND_RANDOM.

Given this, should we use getrandom(2) on Solaris (with the additional max buffer logic)?

Probably, yes. But we may want to keep it in a separate module. In addition to the max buffer logic, Solaris also guarantees that input buffer will be fully filled:

The other difference is that on Solaris getrandom(2) will either fail completely or will return a buffer filled with the requested size, where as the Linux implementation can return partial buffers.

So we do not need to call sys_fill_exact. IIUC number of bytes can be smaller only if the GRND_NONBLOCK flag is used.

josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and
`getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we ever use `getentropy(2)`
  - Why we don't ever set `GRND_RANDOM`

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
josephlr added a commit that referenced this pull request May 6, 2024
#417 used `getentropy(2)`
on Solaris, but after looking at
[the blog post introducing `getrandom()` and `getentropy()`](https://blogs.oracle.com/solaris/post/solaris-new-system-calls-getentropy2-and-getrandom2),
it seems like we should prefer using `getrandom` based on this quote:

> On Solaris the output of getentropy(2) is entropy and should not be used where randomness is needed, in particular it must not be used where an IV or nonce is needed when calling a cryptographic operation.  It is intended only for seeding a user space RBG (Random Bit Generator) system. More specifically the data returned by getentropy(2) has not had the required FIPS 140-2 processing for the DRBG applied to it.

I also updated some of the documentation explaining:
  - Why we use `getentropy(2)`
  - Why we only set `GRND_RANDOM` on Solaris

Signed-off-by: Joe Richey <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Investigate removing fallback logic for Solaris/Illumos
3 participants