Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752582AbdFQS7F (ORCPT <rfc822;w@1wt.eu>);
        Sat, 17 Jun 2017 14:59:05 -0400
Received: from resqmta-ch2-10v.sys.comcast.net ([69.252.207.42]:45044 "EHLO
        resqmta-ch2-10v.sys.comcast.net" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752145AbdFQS7D (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Jun 2017 14:59:03 -0400
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: Re: [kernel-hardening] [PATCH v4 06/13] iscsi: ensure RNG is seeded before use
From: Paul Koning <paulkoning@comcast.net>
In-Reply-To: <CAH8yC8nHX2r9cfQ0gNeJAUrgSfAS8V16dVHv35BRnLn-YprZCg@mail.gmail.com>
Date: Sat, 17 Jun 2017 14:50:50 -0400
Cc: Lee Duncan <lduncan@suse.com>, "Jason A. Donenfeld" <Jason@zx2c4.com>,
        "Theodore Ts'o" <tytso@mit.edu>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel-hardening@lists.openwall.com,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        David Miller <davem@davemloft.net>, Eric Biggers <ebiggers3@gmail.com>,
        "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
        Chris Leech <cleech@redhat.com>
Message-Id: <46F035A7-5E63-4A96-8F45-45728222CF51@comcast.net>
References: <20170606174804.31124-1-Jason@zx2c4.com> <20170606174804.31124-7-Jason@zx2c4.com> <20170608024357.fhyyentj2qm7ti2q@thunk.org> <CAHmME9pViOqqDPyjXKLfCWSTnQrcE4OLJMdK1yaTiUvrOV+ecQ@mail.gmail.com> <fbca1b2b-c9ae-80ce-45ef-17c3d3b93e57@suse.com> <CAHmME9rU_H6Jq7ArjDq1yByrYf1P7nyC4Y8tqkzG585U39MFLg@mail.gmail.com> <02d60ed4-4207-dd7d-8826-0f9f7f4e966d@suse.com> <CAH8yC8nHX2r9cfQ0gNeJAUrgSfAS8V16dVHv35BRnLn-YprZCg@mail.gmail.com>
To: open-iscsi@googlegroups.com
X-Mailer: Apple Mail (2.3124)
X-CMAE-Envelope: MS4wfNsH657DUXkdtH770kwO7cbW1Dk6DmTo54QS4ayghm8OEG1/jQ29q0e1YRiJgtDBK36UYweJnUSmSsOaUgvMT9EAsD4oqnGldub86r0hNK+xe5VY6c7y
 qr80W6RUdtFzrEJxowN2u4NAUMXntNHcsBfkTr+XOX+3j69ofY/f/CZeD+uPmN3eV3kUmHSWLWfGuAMYio4nfFN+HX6laLqg5QJ54YdUzaEWn6CPmhrsNcJ6
 Vduxpc3aIRkBZJr9nVUUHMrPa+2hnpINDPtSca9TbAOMPn+9hVHAcSmcYwEs1dzET+VB5MQz6lm4LbHGirLnzXcuSqB1RX0eEXiWy3sZ/zgPIjEVr5kjs9WC
 wADctpKgx49cryvIjjLJL42HaOXbZrKIBAFDFDGm5SwF60tNi3h0i0u0KLLtFGu3BV/KFZal87Zkizxb1YHHAbj5NVhIblkoj7kEnw4n86kE9hhrnGk9JUgp
 YRaHBrWhvceNfkWDUfAkd85X0hSzNa6MfoTlGzWYfE0GkUvjMYtLcu7kXfHxpxGKfxOth8rMyJ+67VENXexPtFOcBeuCtO7SwXCmVg==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v5HIxHoP023825
Content-Length: 2879
Lines: 56


> On Jun 17, 2017, at 10:23 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> 
> On Fri, Jun 16, 2017 at 11:45 PM, Lee Duncan <lduncan@suse.com> wrote:
>> On 06/16/2017 05:41 PM, Jason A. Donenfeld wrote:
>>> Hi Lee,
>>> 
>>> On Fri, Jun 16, 2017 at 11:58 PM, Lee Duncan <lduncan@suse.com> wrote:
>>>> It seems like what you are doing is basically "good", i.e. if there is
>>>> not enough random data, don't use it. But what happens in that case? The
>>>> authentication fails? How does the user know to wait and try again?
>>> 
>>> The process just remains in interruptible (kill-able) sleep until
>>> there is enough entropy, so the process doesn't need to do anything.
>>> If the waiting is interrupted by a signal, it returns -ESYSRESTART,
>>> which follows the usual semantics of restartable syscalls.
>>> 
>> In your testing, how long might a process have to wait? Are we talking
>> seconds? Longer? What about timeouts?
>> 
>> Sorry, but your changing something that isn't exactly broken, so I just
>> want to be sure we're not introducing some regression, like clients
>> can't connect the first 5 minutes are a reboot.
> 
> CHAP (https://www.rfc-editor.org/rfc/rfc1994.txt) and iSCSI
> (https://www.ietf.org/rfc/rfc3720.txt) require random values. If iSCSI
> is operating without them, it seems like something is broken. From RFC
> 3720, Section 8.2.1, CHAP Considerations:
> 
>   When CHAP is performed over a non-encrypted channel, it is vulnerable
>   to an off-line dictionary attack.  Implementations MUST support use
>   of up to 128 bit random CHAP secrets, including the means to generate
>   such secrets and to accept them from an external generation source.
>   Implementations MUST NOT provide secret generation (or expansion)
>   means other than random generation.

That only applies to the generation of the secret, which is configured into iscsi, not created by it.  A utility to generate the secret might be supplied, of course, just as one might have utilities to generate strong passwords, but it's not a component of the iSCSI protocol.

> CHAP actually has a weaker requirement since it only requires _unique_
> (and not _random_). From RFC 1994, Section 2.3, Design Requirements:
> 
>   Each challenge value SHOULD be unique, since repetition of a
>   challenge value in conjunction with the same secret would permit an
>   attacker to reply with a previously intercepted response.  Since it
>   is expected that the same secret MAY be used to authenticate with
>   servers in disparate geographic regions, the challenge SHOULD exhibit
>   global and temporal uniqueness.
> 
> But its not clear to me how to ensure uniqueness when its based on
> randomness from the generators.

A strong RNG of length n will produce numbers likely to be unique until you approach the birtday limit 2^(n/2).  So, say, a 128 bit challenge will be adequate.

	paul