-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please document a way to not wait for high-quality entropy for hash tables #91
Comments
Answering the questions from #90. (For context, I am a dbus maintainer.)
It does not matter at all. The XML that dbus-daemon reads is totally trusted: it's the dbus-daemon's own configuration file. So if this high-quality randomness is just a way to defeat hash table algorithmic complexity attacks, we don't need it.
I would prefer to have a way to tell Expat "don't bother using a hash salt, we trust this XML" or "the hash salt is 42", rather than supplying it with a callback to produce entropy and using https://xkcd.com/221/ for that callback - because if I did the latter, I'd be worried that Expat might start using my entropy callback for some other purpose in addition to salt for the hash, for which it would be unsuitable. Doing this on a per- I don't need to know whether the parsing is taking place during early boot, because if I trust the XML, it's always acceptable to use a weak hash (we aren't going to get pathological input designed to break the hash algorithm anyway), and if I don't trust the XML, it's always wrong to use a weak hash. |
Hi Simon, excellent report, thanks for that! Related pull request #90 came in only 8 hours ago. I dumped a few thoughts over there already but let's do the discussion here. @cometzero, please feel invited. More later. |
Having said that... I'm not sure whether you really need a blocking If something is parsing untrusted XML during early boot, and it's something important enough that it runs at that stage, then I'm not sure that the deliberate denial of service caused by malicious people submitting crafted XML files that will make the parser eat CPU time (the attack you are defending against) is actually significantly worse than the accidental denial of service caused by this important service blocking for a while :-) |
@cometzero's report in #90 confirms my informed guess about I don't think udev is relevant here: it doesn't use D-Bus or XML. systemd is only relevant here because several of its services make use of D-Bus sufficiently close to the beginning of the boot process that systems with few sources of entropy (embedded systems are typically this) might not have initialized the random pool yet. |
For a temporary quickfix, I think There is no existing API besides Maybe you're right that entropy for DoS protection is not worth blocking until the nonblocking pool is initialized. |
I find it hard to have much sympathy for anyone who calls The code referenced in #18 seems to have been people working around a bug in libexpat's solution to CVE-2012-0876, by disabling that solution and bringing back CVE-2012-0876 (albeit with a different crafted XML document required to get collisions). I think I'll add a |
I believe with #92 merged and released, this ticket can be closed. |
dbus-daemon --system
is a system service that parses XML configuration using libexpat. It is rather important on many recent OSs, and is typically started very early in the boot process, especially if process 1 is systemd.@hewittc reported a boot sequence issue on an ARM device running Arch Linux, apparently triggered by a libexpat upgrade: with libexpat >= 2.2.1, system services like systemd-logind and systemd process 1 would frequently fail to connect to the dbus-daemon. This caused subsequent uses of systemd-logind (in particular system logins) to fail, making the system rather broken.
Enabling verbose logging for the dbus-daemon indicated that the dbus-daemon starts 7.2 seconds after boot, stops logging anything at 7.3 seconds, then wakes up again and resumes logging things at 38.1 seconds. That's shortly after the kernel reports this:
which I think is the time at which
getrandom()
stops blocking. So I suspect that the dbus-daemon is blocking in libexpat for approximately 30 seconds while waiting for entropy. 30ish seconds is too long for the timeouts used in systemd, systemd-logind and systemd-networkd - by the time the dbus-daemon has woken up, those system services have already timed out.I assume that the motivation for using high-quality entropy was to avoid hash collision complexity attacks involving crafted XML files that collide? If this is the case, then dbus-daemon does not actually need this: the only XML that we parse is completely trusted (it's the dbus-daemon's configuration). So I think this failure mode could be avoided by asking libexpat to not wait for high-quality entropy.
Is
XML_SetHashSalt()
the API I am looking for? It looks as though, if I call that with some arbitrary nonzerohash_salt
parameter (1 would do),generate_hash_secret_salt()
and hencewriteRandomBytes_getrandom()
might be skipped? However, I'm a little wary about that because this usage (and the special case that 0 doesn't work) is not documented, and #47 suggests that how it works might change.Alternatively, I could add a call to some newly added function,
XML_UseWeakRandomness()
or something, with a configure check to make it compile-time optional. Or both.The text was updated successfully, but these errors were encountered: