Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

2022-08-03 Thread Hal Murray 


un...@physics.ubc.ca said:
>  Are you stating that /dev/urandom is not available on the machine you are
> using? 

No.  A crypto package is needed for shared keys.  I/we hadn't considered 
building without shared keys.

> You are using Linux I believe.

NTPsec builds/runs on Linux, FreeBSD, NetBSD, and probably anything that is 
POSIX enough and supports ntp_adjtime().

-- 
These are my opinions.  I hate spam.




-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

2022-08-03 Thread Bill Unruh 



Are you stating that /dev/urandom is not available on the machine you are
using? You are using Linux I believe. What version of Linux does not have
/dev/urandom. Note that /dev/random, which should also be available, should
not be used. It has the same strength as urandom, but can block indefinitely
if it thinks it does not have enought "entropy" to finish delivering the bytes
it thinks it needs (esssentially /dev/random does not deliver more bytes that
contained in its "seed" which is harvested from various "randomness" sources
like disk access times, typing intervals, Unfortunately things like the
RP computers have no disks, or keyboards, etc. and so as I understand it, 
play badly with /dev/random (ie, run out of seed easily and thus could  block.)


On Wed, 3 Aug 2022, Hal Murray wrote:


[CAUTION: Non-UBC Email]

mlich...@redhat.com said:

Is OpenSSL required in NTPsec? chrony can be built with no crypto library, so
it needs a random generator that's always available. That's /dev/urandom.


Not currently.  Thanks for the suggestion.

--
These are my opinions.  I hate spam.




--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.




--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

2022-08-03 Thread Hal Murray 


mlich...@redhat.com said:
> Is OpenSSL required in NTPsec? chrony can be built with no crypto library, so
> it needs a random generator that's always available. That's /dev/urandom. 

Not currently.  Thanks for the suggestion.

-- 
These are my opinions.  I hate spam.




-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

[chrony-dev] [GIT] chrony/chrony.git branch master updated. 4.2-66-gd91ae20

2022-08-03 Thread git 
This is an automated email from git. It was generated because a ref
change was pushed to the "chrony/chrony.git" repository.

The branch, master has been updated
   via  d91ae2094fa87094430392acd9fd54b4132ba9f1 (commit)
   via  30a584509895a29a573c9546bdede13d877ce13e (commit)
   via  0f367efac53c45157807c99de45ce7e721960cf3 (commit)
   via  24c011d4a61c889b2ee3c955318a874c75b6864b (commit)
   via  0c2cdd2fb14652b9274a09291452fd22c54d5116 (commit)
   via  cd1a666e1bee6ce0e14278106e2f937430ada91c (commit)
  from  070b4f69d0c2e2037102a64abd9e385fad45a33b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -
commit d91ae2094fa87094430392acd9fd54b4132ba9f1
Author: Miroslav Lichvar 
Date:   Wed Aug 3 13:17:42 2022 +0200

configure: disable arc4random on Linux

In glibc 2.36 was added the arc4random family of functions. However,
unlike on other supported systems, it is not a user-space PRNG
implementation. It just wraps the getrandom() system call with no
buffering, which causes a performance loss on NTP servers due to
the function being called twice for each response to add randomness
to the RX and TX timestamp below the clock precision.

Don't check for arc4random on Linux to keep using the buffered
getrandom().

commit 30a584509895a29a573c9546bdede13d877ce13e
Author: Miroslav Lichvar 
Date:   Tue Aug 2 15:09:38 2022 +0200

configure: avoid -Wnonnull warnings

Replace NULL in test code of functions which have (at least in glibc) or
could have arguments marked as nonnull to avoid the -Wnonnull warnings,
which breaks the detection with the -Werror option.

commit 0f367efac53c45157807c99de45ce7e721960cf3
Author: Miroslav Lichvar 
Date:   Tue Aug 2 16:51:48 2022 +0200

doc: suggest self-signed certificates for NTS in FAQ

commit 24c011d4a61c889b2ee3c955318a874c75b6864b
Author: Miroslav Lichvar 
Date:   Tue Aug 2 14:45:18 2022 +0200

test: catch definite leaks with valgrind

commit 0c2cdd2fb14652b9274a09291452fd22c54d5116
Author: Miroslav Lichvar 
Date:   Mon Aug 1 16:20:13 2022 +0200

test: fix ntp_core unit test to disable source selection

If the randomly generated timestamps are close to the current time, the
source can be selected for synchronization, which causes a crash when
logging the source name due to uninitialized ntp_sources.

Specify the source with the noselect option to prevent selection.

commit cd1a666e1bee6ce0e14278106e2f937430ada91c
Author: Miroslav Lichvar 
Date:   Mon Aug 1 13:04:00 2022 +0200

test: fix sources unit test to call SRC_ReportSource() correctly

Call the function with current time instead of latest sample of the
first source to avoid undefined conversion of negative double to long
int.

Fixes: 07600cbd714f ("test: extend sources unit test")

---

Summary of changes:
 configure   | 35 ---
 doc/faq.adoc| 12 
 test/compilation/003-sanitizers |  6 --
 test/unit/ntp_core.c|  2 +-
 test/unit/sources.c |  1 +
 5 files changed, 38 insertions(+), 18 deletions(-)


hooks/post-receive
-- 
chrony/chrony.git

-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

2022-08-03 Thread Miroslav Lichvar 
On Tue, Aug 02, 2022 at 09:32:34AM -0700, Hal Murray wrote:
> mlich...@redhat.com said:
> > I was surprised to see they switched arc4random in glibc to getrandom(). 
> > That
> > has a significant performance impact on chronyd, as it calls the function 
> > for
> > each generated RX and TX timestamp. In my 
> 
> NTPsec uses OpenSSL and their crypto package.  I noticed significant CPU 
> going 
> into randomness.  On investigation, there is high overhead.  The cycles per 
> byte isn't horrible for longer chunks.  It's things like calling getpid() 
> called during setup.

Is OpenSSL required in NTPsec? chrony can be built with no crypto
library, so it needs a random generator that's always available.
That's /dev/urandom.
> 
> I've contemplated using a big buffer.  Fill it with one call to amortize the 
> overhead.  Pass out small chunks as needed.  I haven't written any code.

That's what chrony does, but not with arc4random as that is assumed to
have its own buffer.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Re: [chrony-dev] nts_ke_server calling UTI_GetRandomBytesUrandom

2022-08-03 Thread Miroslav Lichvar 
On Tue, Aug 02, 2022 at 11:58:43AM -0700, Bill Unruh wrote:
> I think it depends on what the purpose of the randomness is. If you need real
> cryptgrphic randomness-- ie, unpredictable by an attacker (as for example in
> encryption, or signatures) then you have to pay the price in time. If however
> what you just want it to have a stream of bytes which does not repeat, so that
> two instances will not give the same value (eg uuids or, I suspect filling the
> ntp time packets with cruft so that successive packets on time scales less
> than the precision of the clock do not give the same values) then must facter
> "random" stream generators would suffice. Calling a cryptogrphic random stream
> for the latter would seem to overkill, and much slower than necessary. Does
> anyone care if the time stamp bits which are better than the precision are
> predictable by someone outside? Does this give any attacker a attack vector?

Good question.

I think it matters more for the client rather than the server. chronyd
as a client randomizes all 64 bits of the timestamp. If an off-path
attacker could predict the bits, it would be easier to spoof a valid
response from the server.

There might be some cases where it's important also for the server,
e.g. with the interleaved mode, but I'm not really sure.

Peers in the symmetric mode are clients and servers at the same time.

Currently, the same code path is used for randomizing the timestamp of
the client and server and I'd prefer to keep it that way.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.