EntropySource not seeded properly #7338
Comments
|
Hello! Thanks for shedding a light on this! Could you please describe a problem with a bit more details? From what I have just seen:
|
|
Hi, Thanks for your prompt reply. We started seeing the problem in angular.dart
Let me know if there's anything else I can help you with. On Sat, Mar 22, 2014 at 10:25 PM, Fedor Indutny notifications@github.hscsec.cnwrote:
|
|
I'm not sure what is the problem you are reporting. Is it about that PRNG error that you are seeing? Or is it about size of the seed that v8 is using? |
|
Yes, that's related to PRNG. The problem seems to be that v8 seeds the PRNG On Sat, Mar 22, 2014 at 10:55 PM, Fedor Indutny notifications@github.hscsec.cnwrote:
|
|
v8 does not seed PRNG, the openssl seeds it itself. And this error may happen, if the system's |
|
Yeah, you're right. The title of pull request On Sat, Mar 22, 2014 at 11:28 PM, Fedor Indutny notifications@github.hscsec.cnwrote:
|
|
The weird thing is that this problem never happened until I updated my node I tried downgrading my node to a version before the patch mentioned above On Sun, Mar 23, 2014 at 12:03 AM, Marko Vuksanovic <
|
|
Which version are you referring to? |
|
Actually, it's not the version, it's something else causing this problem. I I actually don't believe (not any more) that this is related to node. It On Sun, Mar 23, 2014 at 12:32 AM, Fedor Indutny notifications@github.hscsec.cnwrote:
|
|
I also checked my /dev/random and /dev/urandom and they seem to work fine... On Sun, Mar 23, 2014 at 1:13 AM, Marko Vuksanovic <markovuksanovic@gmail.com
|
|
It might be worth mentioning the system I'm running on: uname -a > 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST On Sun, Mar 23, 2014 at 1:18 AM, Marko Vuksanovic <markovuksanovic@gmail.com
|
|
I tried doing some small nodejs program to check if entropy was ok: var c = require('crypto'); This ran just fine. As soon as I run the angular.dart tests (using karma On Sun, Mar 23, 2014 at 1:41 AM, Marko Vuksanovic <markovuksanovic@gmail.com
|
|
It's possible that #6253 is not enough by itself and that node needs to call RAND_poll() at least once during start-up. Does this patch help? diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index a2b487a..2fbb8d1 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -217,6 +217,7 @@ void ThrowCryptoTypeError(Environment* env, unsigned long err) {
bool EntropySource(unsigned char* buffer, size_t length) {
+ RAND_poll();
// RAND_bytes() can return 0 to indicate that the entropy data is not truly
// random. That's okay, it's still better than V8's stock source of entropy,
// which is /dev/urandom on UNIX platforms and the current time on Windows.EDIT: When I say "not enough by itself", what I mean is that it's conceivable that another in-process actor consumes the entropy before node gets a chance to pass it on to V8. |
|
@bnoordhuis that could work although I won't be able to verify today. I was also wondering if it makes sense to call RAND_seed instead of RAND_poll? |
|
RAND_seed() is only useful if you have random data to seed the PRNG with. I don't think we have that anywhere unless you count the stack. Seems like a risky proposition, that early after start-up. (EDIT: Or in general; the contents of the stack is often highly predictable.) |
|
@bnoordhuis Thanks for the explanation. One other thing that might be worth mentioning, is that I never see the error if I get pseudoRandomBytes instead of randomBytes. Not sure if that piece of information can reveal anything useful about this issue... |
|
@markovuksanovic this is expected, those two functions are the same, but the latter one doesn't check if it's entropy pool is seeded properly. |
|
@indutny @bnoordhuis Adding RAND_poll seems to have solved the problem. I'll try to use this custom built version and see if the problem occurs again. I'll update here in a day or two to let you know, but for now it seems that the problem is gone. |
|
@indutny @bnoordhuis Have been using this for a day now and no issues so far... |
|
Great! @bnoordhuis mind submitting a PR for this? |
Ensure that OpenSSL has enough entropy (at least 256 bits) for its PRNG. The entropy pool starts out empty and needs to fill up before the PRNG can be used securely. OpenSSL normally fills the pool automatically but not when someone starts generating random numbers before the pool is full: in that case OpenSSL keeps lowering the entropy estimate to thwart attackers trying to guess the initial state of the PRNG. When that happens, we wait until enough entropy is available, something that normally should never take longer than a few milliseconds. Fixes nodejs#7338.
When using EntropySource PRNG is not seeded properly. It looks like V8 is seeding with bytes of randomness while OpenSSL PRNG requires 32 bytes. http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/rand/rand_lcl.h;h=6696b8057bbe71d532d17bb12ca95afe07ae4f8d;hb=refs/heads/master#l115
The text was updated successfully, but these errors were encountered: