Keep /dev/random open for seeding

[paulidale]

Modify the DEVRANDOM seed source so that the files are kept open persistently.

This allows operation inside a chroot environment without having the random
device present.

• documentation is added or updated
• tests are added or updated

Following from #5330

[paulidale]

At present, there is no test and it isn't clear how an automated test could be written.

A question that needs to be address is should the files be kept open for the entire list of DEVRANDOM seed sources or just one? This PR opts for the former, although they are initially opened as required rather than on startup.

[t-j-h]

I think there should be a mechanism to ask for these files to be closed for an application that wants to do that - i.e. not have a leaking file descriptor ...

[paulidale]

That's fair enough. The chroot use case would suggest that keeping them open by default and having the option to close them is the way to go. This means introducing a new API to change the keep open behaviour.

[t-j-h]

Or an API to provide for a cleanup separately - either way (change the open behaviour or allow for a specific cleanup call) there needs to be something new in place. And I don't think you have access to "conf" for handling that and I wouldn't suggest an environment variable to control it either.

[paulidale]

Added option to enable/disable the keep open semantics.
Still no automated test.

Travis failures are unrelated.

[paulidale]

Which is the best lock to use to guard the set to close mode call? rand_meth_lock or a new one?

[kroeckx]

Since this is the _unix file, it might be useful to use open() instead of fopen() ...

[paulidale]

The existing code used fopen(3) and I stayed with that. I think @richsalz avoided open(2) deliberately. What do others think? I'm happy to change it.

There is also an issue with the reading code later -- if less than the full asked for amount is received, it is ignored. This is perplexing. Shouldn't whatever is read be used and accounted for? Unfortunately, the code is sufficiently complex to not be easily understandable. @mspncp any suggestion here?

[levitte]

Considering we don't use any of the more advanced stdio functions, care about line endings and turn off buffering, I'd say that preferring FILE pointers over file descriptors is a moot point, and if using file descriptors gives us an advantage (such as fstat mentioned elsewhere), it might as well be changed. One unnecessary layer removed...

[levitte]

As for the bytes read being dropped unless it's all the bytes needed, I'm frankly not sure about that. Totally spaced on that last time I looked at this. That could surely be changed, no? Question is if it's something for this PR... (at the very least, it should be made a separate commit)

[mspncp]

Shouldn't whatever is read be used and accounted for?

I don't see any reason to discard the random data, just because it's less than the requested amount. Just grab anything you can get, add it to the pool, and drain the next source ;-).

[kroeckx]

You can use fileno() if you stay with FILE * and want to call fstat()

[kroeckx]

I would like to see a call to fstat(), and check S_ISCHR(), to see if the file is still open and still the type of file we expect.

[paulidale]

Again, I'm happy to change this. Should we trust the configuration setting or should we check?

[kroeckx]

The reason I'm asking this is that I know that there is software that part as becoming a daemon will close all files. So they might have closed our file without us knowing about it, and it's very likely that something will reuse that file descriptor at a later point, say a network socket or log file. I want to avoid reading from an unexpected file. I guess we could cache the whole struct stat and check that some of the fields match.

[paulidale]

That's a good enough reason for me. I'll add the check.

[kroeckx]

I prefer to only have 1 open file, instead of the 2 files you currently do.

[levitte]

Does that mean only reading the seed from one source, or closing them directly after seeding except for the last one, which is kept open for reseeding?

[paulidale]

There will only be more than one open file if the first (or second -- the list is three long from memory) opens but doesn't deliver enough bytes. The first entry is set to /dev/urandom which is unlikely to fail.

There is also a concern with only opening one file at a time: if the read ever fails, the file is then closed and reopened which isn't possible in a chroot(2) environment.

I'm happy to change things to only open one at a time or to open all up front but I'd like a consensus first.

[paulidale]

@levitte as I understand it, the current code will read from /dev/urandom (which won't fail) and the others in the list will never be opened or read from.

[mspncp]

@levitte as I understand it, the current code will read from /dev/urandom (which won't fail) and the others in the list will never be opened or read from.

Since this is the case anyway, there is no need to have this complicated opening logic. I would just use the first handle that can be opened successfully. Since /dev/urandom preceeds /dev/random in the list, it does not really make sense to consider a situation where the first device fails but the second one succeeds.

[paulidale]

I'm hesitant to only keep one FD open. If, after the chroot(2), there is a failure then there are no other possible sources.

[paulidale]

Updated to use FDs not FILE *.
The code opens both descriptors still.

[mspncp]

To be continued...

[mspncp]

As a person who likes self describing function names in imperative style (CLASSNAME_do_this(), CLASSNAME_enable_that()), I would prefer to have a more descriptive function name than "this is the setter of some internal variable called close_seed_files. Even more since

• There is no need for a setter/getter pair. This feature is under control of the application and nobody else should be changing it anyway. So there is no need for the application to query the current value.
• The term "seed files" is used nowhere else and is unnecessarily general; everywhere else we are talking about random device(s). Using such a general term just hides information to the programmer, which has no clue what precisely this function is doing unless he looks up the documentation or the source code.

My suggestion: Just drop the getter and rename the setter to something like

void RAND_keep_devrandom_open(int keep);
void RAND_keep_random_devices_open(int keep);  /* <= my favorite choice */

or the other way around

void RAND_close_devrandom_after_use(int close);
void RAND_close_random_devices_after_use(int close);

edit: I forgot to commit a pendiing edit before sending off the review.

[paulidale]

I often admin I'm rubbish with API names :) I'll change it.

[levitte]

Please don't use devrandom in the names. Sure, this is currently very Unix centric, but should this become implemented on other platforms as well, devrandom is as foreign a name as it gets.

[mspncp]

This function exists solely to disable a workaround for a very unix-ish problem, namely that /dev/random might not be available after chroot(). So it is very unlikely that it will ever be used in a more general context.

[mspncp]

Please don't use devrandom in the names.

Does this include random_devices, too, or only devrandom?

[levitte]

devrandom specifically. random_devices is fine in my mind.

[paulidale]

Renamed to RAND_keep_random_devices_open and removed the getter.

[mspncp]

Just a suggestion:

/*
 * Verify that the file descriptor associated with the random source is
 * still valid and refers to a character device. The rationale for doing
 * this is the fact that it is not uncommon for daemons to close all open
 * file handles when daemonizing. So the handle might have been closed or
 * even reused for opening another file.
 */

[mspncp]

@EmericBr, would you mind checking whether nginx closes all open handles when chrooting? Because this would mean that this pull request would not work for your issue #5330 as expected (see my previous post).

[mspncp]

See also #6432 (comment)

[paulidale]

Yes, that would be a problem :(

Additionally and mostly as a reminder to myself, I need to check that Linux on the S390 uses character devices for its alternative random seed device nodes. I think other Unix based operating systems do, but I'll also check what I've got available too.

[kroeckx]

The alternative I suggested was to cache the result of fstat() and then check that the st_dev, st_ino, st_mode and st_rdev fields are the same.

[lukastribus]

Clarification: this is not about an unnamed application. This is about haproxy.

Emeric is the maintainer of the SSL subsystem in haproxy, I myself am working on haproxy as well. I reproduced this first-hand in haproxy.

In the other thread I linked to the following haproxy troubleshooting session (where Sander, Emeric and myself confirmed the issue):
Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Sander runs an older kernel without getrandom functionality, Emeric cross-compiles without kernels headers (so the raw getrandom syscall doesn't work), and I had the kernel but not the libc, so it started working for me only with the raw getrandom syscall feature in -pre6.

I can see now that the nginx issue was not caused by chroot(), but by a permission problem (after nginx downgraded privileges). I'd argue that there's a possibility that keeping the FD open would have helped the nginx case as-well, depending on the initialization sequence - but let's focus on what we actually know. I apologize for the confusion my nginx comment caused.

Even more specifically, chroot(2) has to be called after rand is initialized.

Haproxy deliberately calls RAND_bytes() before chroot()ing to initialize OpenSSL's random number generator. Otherwise this would never have worked in the first place if I understand correctly.

As for the question of this being required or not or being post 1.1.1

In my opinion, if this doesn't hit 1.1.1, the entire discussion is quite useless, considering the breakage, the fact that 1.1.1 will be LTS and the post 1.1.1 release schedule ... unless you are willing to backport such a change to 1.1.1 post release?

[dot-asm]

This is about haproxy.

Cool! Thanks for clarification!

[mspncp]

unless you are willing to backport such a change to 1.1.1 post release?

My argumentation in #6432 (comment) was to hold back the pull request as long as there is no concrete evidence of a regression yet, but of course keeping the option to backport it as bugfix to 1.1.1 if this would become necessary after the creation of the stable branch. Now since it has been clarified by you that haproxy is indeed affected by this regression, I would say it counts as bugfix and there is no need to hold back the pr.

[paulidale]

What about adding this but with the default being not keeping the FD open?
Since haproxy is already making an effort to start the RAND system, would it be possible to modify it to support the new API to maintain the FDs open?

[paulidale]

I guess making it not work by default in this instance isn't ideal.

[dot-asm]

Formally speaking there is possibility for resource leak here. In case fd != -1 while return value from fstat(fd) is.

[mspncp]

Good catch!

[mspncp]

Now I see why you were saying 'Formally speaking'. Looking at the error codes listed in stat(2) there really seems to be only a hypothetical chance that fstat() might fail in this situation. :-)

[paulidale]

ENOMEM would be possible. I'll fix.

[dot-asm]

It doesn't matter what is error condition or how impossible it is. Mere fact of checking the return value in given sequence formally makes it a possible resource leak.

[dot-asm]

"chroot(2) environment" is misleading, because "environment" gives an impression of something where you can start multiple processes. While the only thing that is effective in the context of proposed modification is operation within single process boundary that itself called chroot(2). Even more specifically, chroot(2) has to be called after rand is initialized.

[paulidale]

I've made the requested changes. The default behaviour is still to keep the device FDs open.

[mspncp]

@paulidale, I have some suggestions for enhancements. For simplicity, I pushed them to my repository, separated in three commits, see suggestions-for-pr-6432. To briefly review the changes, visit mspncp#1, which extends your pull request. To get a local copy, do

git fetch https://github.com/mspncp/openssl.git suggestions-for-pr-6432

Feel free to use (and squash) the suggestions if you like.

[dot-asm]

I'd even go further saying current process's chroot jail.

[dot-asm]

As for not sending file descriptor. Basically rationale is following. It's only appropriate if API can be used in multiple situations. And problem is that suggested interface is usable only in one very particular scenario. While if you pass file descriptor it can used even in other scenarios. For example process that does chroot can pass file descriptor to children (by telling which one is it), which would make it possible to run chroot-ed children. They would naturally have to be modified to identify the file descriptor and pass it down to their copies of libcrypto...

[mspncp]

Which this?

I meant the This at the end of CHANGES, line 12

file descriptors open rather than reopening them on each access. This

Unfortunately I did not comment on the 'Files changed' page, but on the commit's page. That's why it came out so strange.

[mspncp]

But never mind, it's not important.

[paulidale]

This is on a new line now.

[paulidale]

Approvals needed from @levitte and @mattcaswell

My concerns have been met

[levitte]

(I'm happy with the doc changes, leaving approval of the rest to others)

[mattcaswell]

As I understand it this only has an effect the next time we get more entropy from the seed sources, i.e. calling RAND_keep_random_devices_open(0), would not immediately close already open file descriptors. Should we say something about that?

[mspncp]

RAND_keep_random_devices_open(0), would not immediately close already open file descriptors.

False, the file descriptors are closed immediately in rand_pool_keep_random_devices_open().

[mattcaswell]

Ah - right! My misunderstanding. In that case, do we need to say that this happens immediately?

[mspncp]

The normal use case would be to call RAND_keep_random_devices_open() only once during initialization before the first randomness is generated (in which case it makes no difference how it's implemented). You normally don't flip this feature on and off. So maybe better add a sentence that this should be called during early initialization (unless one is happy with the default).

[paulidale]

I've added a sentence and rebased to avoid merge conflicts.

[mspncp]

Oh, sorry for not asking earlier: shouldn't we also mention that this feature is enabled by default?

[paulidale]

Earlier in the paragraph: Some seed sources maintain open file
descriptors by default, ... Isn't that enough?

[mspncp]

Ah ok, I forgot about that. The early bird is not quite awake yet. Thanks for the reminder!

[paulidale]

@mattcaswell your approval is the missing piece at the moment :)

[mattcaswell]

Approved assuming the typo is fixed.

[mattcaswell]

descriptors?

[mspncp]

It's "file descriptor use", but maybe @paulidale should break the line after "use", otherwise more readers will stumble over it.

[mspncp]

Or "file descriptor usage"?

[mattcaswell]

Oh..right. My mistake. Actually the line break is probably not that big a deal because it won't necessarily be there when this gets rendered as a man page.

[paulidale]

Thanks to all, the final documentation change has been made and everything is merged.

[kroeckx]

I really didn't have time to look at this. It seems that that /dev/urandom and /dev/random are now always opened by default even if it's never read. I guess I would prefer to only open them when no system call is available, but I can live with the current situation.

[paulidale]

I'd be a little uncomfortable about introducing this kind of dependencies between the seed sources. It complicates the code and simpler is better here.

If desirable, I can raise an issue for future consideration -- either add the exception to the code or document the behaviour and suggesting not enabling this source if it is a concern.