diff mbox series

[FFmpeg-devel,1/2] avformat/hlsenc: fall back to av_get_random_seed() when generating AES128 key

Message ID 20230702193010.11654-1-cus@passwd.hu
State New
Headers show
Series [FFmpeg-devel,1/2] avformat/hlsenc: fall back to av_get_random_seed() when generating AES128 key | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Marton Balint July 2, 2023, 7:30 p.m. UTC 
It should be OK to use av_get_random_seed() to generate the key instead of
using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
for key generation functionality.

Fixes ticket #10441.

Signed-off-by: Marton Balint <cus@passwd.hu>
---
 libavformat/hlsenc.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

Comments

Steven Liu July 3, 2023, 2:20 a.m. UTC | #1 
Marton Balint <cus@passwd.hu> 于2023年7月3日周一 03:30写道:
>
> It should be OK to use av_get_random_seed() to generate the key instead of
> using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
> for key generation functionality.
>
> Fixes ticket #10441.
>
> Signed-off-by: Marton Balint <cus@passwd.hu>
> ---
>  libavformat/hlsenc.c | 18 ++++++++----------
>  1 file changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
> index 1e0848ce3d..0b22c71186 100644
> --- a/libavformat/hlsenc.c
> +++ b/libavformat/hlsenc.c
> @@ -40,6 +40,7 @@
>  #include "libavutil/intreadwrite.h"
>  #include "libavutil/opt.h"
>  #include "libavutil/log.h"
> +#include "libavutil/random_seed.h"
>  #include "libavutil/time.h"
>  #include "libavutil/time_internal.h"
>
> @@ -710,18 +711,18 @@ fail:
>      return ret;
>  }
>
> -static int randomize(uint8_t *buf, int len)
> +static void randomize(uint8_t *buf, int len)
>  {
>  #if CONFIG_GCRYPT
>      gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
> -    return 0;
> +    return;
>  #elif CONFIG_OPENSSL
>      if (RAND_bytes(buf, len))
> -        return 0;
> -#else
> -    return AVERROR(ENOSYS);
> +        return;
>  #endif
> -    return AVERROR(EINVAL);
> +    av_assert0(len % 4 == 0);
> +    for (int i = 0; i < len; i += 4)
> +        AV_WB32(buf + i, av_get_random_seed());
>  }
>
>  static int do_encrypt(AVFormatContext *s, VariantStream *vs)
> @@ -775,10 +776,7 @@ static int do_encrypt(AVFormatContext *s, VariantStream *vs)
>      if (!*hls->key_string) {
>          AVDictionary *options = NULL;
>          if (!hls->key) {
> -            if ((ret = randomize(key, sizeof(key))) < 0) {
> -                av_log(s, AV_LOG_ERROR, "Cannot generate a strong random key\n");
> -                return ret;
> -            }
> +            randomize(key, sizeof(key));
>          } else {
>              memcpy(key, hls->key, sizeof(key));
>          }
Hi Marton,

Should remove braces too. I cannot sure how to make it more simpler as
!hls->key ?  randomize(key, sizeof(key)) : memcpy(key, hls->key,
sizeof(key)); ?


Thanks
Steven
Marton Balint July 3, 2023, 7:23 p.m. UTC | #2 
On Mon, 3 Jul 2023, Steven Liu wrote:

> Marton Balint <cus@passwd.hu> 于2023年7月3日周一 03:30写道:
>>
>> It should be OK to use av_get_random_seed() to generate the key instead of
>> using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
>> for key generation functionality.
>>
>> Fixes ticket #10441.
>>
>> Signed-off-by: Marton Balint <cus@passwd.hu>
>> ---

[...]

>>  static int do_encrypt(AVFormatContext *s, VariantStream *vs)
>> @@ -775,10 +776,7 @@ static int do_encrypt(AVFormatContext *s, VariantStream *vs)
>>      if (!*hls->key_string) {
>>          AVDictionary *options = NULL;
>>          if (!hls->key) {
>> -            if ((ret = randomize(key, sizeof(key))) < 0) {
>> -                av_log(s, AV_LOG_ERROR, "Cannot generate a strong random key\n");
>> -                return ret;
>> -            }
>> +            randomize(key, sizeof(key));
>>          } else {
>>              memcpy(key, hls->key, sizeof(key));
>>          }
> Hi Marton,
>
> Should remove braces too. I cannot sure how to make it more simpler as
> !hls->key ?  randomize(key, sizeof(key)) : memcpy(key, hls->key,
> sizeof(key)); ?

I will just remove the braces, looks more readable to me than using the 
ternary operator.

Will apply the series, thanks.

Marton
James Almer July 3, 2023, 7:33 p.m. UTC | #3 
On 7/2/2023 4:30 PM, Marton Balint wrote:
> It should be OK to use av_get_random_seed() to generate the key instead of
> using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
> for key generation functionality.
> 
> Fixes ticket #10441.
> 
> Signed-off-by: Marton Balint <cus@passwd.hu>
> ---
>   libavformat/hlsenc.c | 18 ++++++++----------
>   1 file changed, 8 insertions(+), 10 deletions(-)
> 
> diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
> index 1e0848ce3d..0b22c71186 100644
> --- a/libavformat/hlsenc.c
> +++ b/libavformat/hlsenc.c
> @@ -40,6 +40,7 @@
>   #include "libavutil/intreadwrite.h"
>   #include "libavutil/opt.h"
>   #include "libavutil/log.h"
> +#include "libavutil/random_seed.h"
>   #include "libavutil/time.h"
>   #include "libavutil/time_internal.h"
>   
> @@ -710,18 +711,18 @@ fail:
>       return ret;
>   }
>   
> -static int randomize(uint8_t *buf, int len)
> +static void randomize(uint8_t *buf, int len)
>   {
>   #if CONFIG_GCRYPT
>       gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
> -    return 0;
> +    return;
>   #elif CONFIG_OPENSSL
>       if (RAND_bytes(buf, len))
> -        return 0;
> -#else
> -    return AVERROR(ENOSYS);
> +        return;
>   #endif
> -    return AVERROR(EINVAL);
> +    av_assert0(len % 4 == 0);
> +    for (int i = 0; i < len; i += 4)
> +        AV_WB32(buf + i, av_get_random_seed());

Maybe instead use a PRNG, like the following:

AVLFG c;
av_lfg_init(&c, av_get_random_seed());
for (int i = 0; i < len; i += 4)
     AV_WB32(buf + i, av_lfg_get(&c));
Anton Khirnov July 3, 2023, 8:15 p.m. UTC | #4 
Quoting James Almer (2023-07-03 21:33:04)
> On 7/2/2023 4:30 PM, Marton Balint wrote:
> > It should be OK to use av_get_random_seed() to generate the key instead of
> > using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
> > for key generation functionality.
> > 
> > Fixes ticket #10441.
> > 
> > Signed-off-by: Marton Balint <cus@passwd.hu>
> > ---
> >   libavformat/hlsenc.c | 18 ++++++++----------
> >   1 file changed, 8 insertions(+), 10 deletions(-)
> > 
> > diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
> > index 1e0848ce3d..0b22c71186 100644
> > --- a/libavformat/hlsenc.c
> > +++ b/libavformat/hlsenc.c
> > @@ -40,6 +40,7 @@
> >   #include "libavutil/intreadwrite.h"
> >   #include "libavutil/opt.h"
> >   #include "libavutil/log.h"
> > +#include "libavutil/random_seed.h"
> >   #include "libavutil/time.h"
> >   #include "libavutil/time_internal.h"
> >   
> > @@ -710,18 +711,18 @@ fail:
> >       return ret;
> >   }
> >   
> > -static int randomize(uint8_t *buf, int len)
> > +static void randomize(uint8_t *buf, int len)
> >   {
> >   #if CONFIG_GCRYPT
> >       gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
> > -    return 0;
> > +    return;
> >   #elif CONFIG_OPENSSL
> >       if (RAND_bytes(buf, len))
> > -        return 0;
> > -#else
> > -    return AVERROR(ENOSYS);
> > +        return;
> >   #endif
> > -    return AVERROR(EINVAL);
> > +    av_assert0(len % 4 == 0);
> > +    for (int i = 0; i < len; i += 4)
> > +        AV_WB32(buf + i, av_get_random_seed());
> 
> Maybe instead use a PRNG, like the following:
> 
> AVLFG c;
> av_lfg_init(&c, av_get_random_seed());
> for (int i = 0; i < len; i += 4)
>      AV_WB32(buf + i, av_lfg_get(&c));

We really REALLY should not be taking any shortcuts when generating
keys.

Ideally we shouldn't be generating them ourselves in the first place, as
we are not a crypto library. This patch seems like a step backward to
me.
Marton Balint July 3, 2023, 8:20 p.m. UTC | #5 
On Mon, 3 Jul 2023, James Almer wrote:

> On 7/2/2023 4:30 PM, Marton Balint wrote:
>>  It should be OK to use av_get_random_seed() to generate the key instead of
>>  using openSSL/Gcrypt functions. This removes the hard dependancy of those
>>  libs
>>  for key generation functionality.
>>
>>  Fixes ticket #10441.
>>
>>  Signed-off-by: Marton Balint <cus@passwd.hu>
>>  ---
>>    libavformat/hlsenc.c | 18 ++++++++----------
>>    1 file changed, 8 insertions(+), 10 deletions(-)
>>
>>  diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
>>  index 1e0848ce3d..0b22c71186 100644
>>  --- a/libavformat/hlsenc.c
>>  +++ b/libavformat/hlsenc.c
>>  @@ -40,6 +40,7 @@
>>    #include "libavutil/intreadwrite.h"
>>    #include "libavutil/opt.h"
>>    #include "libavutil/log.h"
>>  +#include "libavutil/random_seed.h"
>>    #include "libavutil/time.h"
>>    #include "libavutil/time_internal.h"
>>
>>  @@ -710,18 +711,18 @@ fail:
>>        return ret;
>>    }
>>
>>  -static int randomize(uint8_t *buf, int len)
>>  +static void randomize(uint8_t *buf, int len)
>>    {
>>    #if CONFIG_GCRYPT
>>        gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
>>  -    return 0;
>>  +    return;
>>    #elif CONFIG_OPENSSL
>>        if (RAND_bytes(buf, len))
>>  -        return 0;
>>  -#else
>>  -    return AVERROR(ENOSYS);
>>  +        return;
>>    #endif
>>  -    return AVERROR(EINVAL);
>>  +    av_assert0(len % 4 == 0);
>>  +    for (int i = 0; i < len; i += 4)
>>  +        AV_WB32(buf + i, av_get_random_seed());
>
> Maybe instead use a PRNG, like the following:
>
> AVLFG c;
> av_lfg_init(&c, av_get_random_seed());
> for (int i = 0; i < len; i += 4)
>    AV_WB32(buf + i, av_lfg_get(&c));

If randomize() were to be used for arbitrary lengths, I'd agree, but here 
it is only used for key generation (only 128-bit keys in the current 
code), so I think av_get_random_seed() for the whole keysize is fine, and 
more secure.

Regards,
Marton
Marton Balint July 3, 2023, 8:54 p.m. UTC | #6 
On Mon, 3 Jul 2023, Anton Khirnov wrote:

> Quoting James Almer (2023-07-03 21:33:04)
>> On 7/2/2023 4:30 PM, Marton Balint wrote:
>>> It should be OK to use av_get_random_seed() to generate the key instead of
>>> using openSSL/Gcrypt functions. This removes the hard dependancy of those libs
>>> for key generation functionality.
>>>
>>> Fixes ticket #10441.
>>>
>>> Signed-off-by: Marton Balint <cus@passwd.hu>
>>> ---
>>>   libavformat/hlsenc.c | 18 ++++++++----------
>>>   1 file changed, 8 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
>>> index 1e0848ce3d..0b22c71186 100644
>>> --- a/libavformat/hlsenc.c
>>> +++ b/libavformat/hlsenc.c
>>> @@ -40,6 +40,7 @@
>>>   #include "libavutil/intreadwrite.h"
>>>   #include "libavutil/opt.h"
>>>   #include "libavutil/log.h"
>>> +#include "libavutil/random_seed.h"
>>>   #include "libavutil/time.h"
>>>   #include "libavutil/time_internal.h"
>>>
>>> @@ -710,18 +711,18 @@ fail:
>>>       return ret;
>>>   }
>>>
>>> -static int randomize(uint8_t *buf, int len)
>>> +static void randomize(uint8_t *buf, int len)
>>>   {
>>>   #if CONFIG_GCRYPT
>>>       gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
>>> -    return 0;
>>> +    return;
>>>   #elif CONFIG_OPENSSL
>>>       if (RAND_bytes(buf, len))
>>> -        return 0;
>>> -#else
>>> -    return AVERROR(ENOSYS);
>>> +        return;
>>>   #endif
>>> -    return AVERROR(EINVAL);
>>> +    av_assert0(len % 4 == 0);
>>> +    for (int i = 0; i < len; i += 4)
>>> +        AV_WB32(buf + i, av_get_random_seed());
>>
>> Maybe instead use a PRNG, like the following:
>>
>> AVLFG c;
>> av_lfg_init(&c, av_get_random_seed());
>> for (int i = 0; i < len; i += 4)
>>      AV_WB32(buf + i, av_lfg_get(&c));
>
> We really REALLY should not be taking any shortcuts when generating
> keys.
>
> Ideally we shouldn't be generating them ourselves in the first place, as
> we are not a crypto library. This patch seems like a step backward to
> me.

My patch use av_get_random_seed() which uses what the underlying OS 
provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
BSD/Mac. You really think that these are significantly worse than 
OpenSSL/GCrypt, so it should not be allowed to fallback to?

Regards,
Marton
Anton Khirnov July 3, 2023, 9:09 p.m. UTC | #7 
Quoting Marton Balint (2023-07-03 22:54:41)
> On Mon, 3 Jul 2023, Anton Khirnov wrote:
> My patch use av_get_random_seed() which uses what the underlying OS 
> provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> BSD/Mac.

IOW it's a jungle of various paths, some of which are not guaranteed to
be cryptographically secure. I see no such guarantees for arc4random()
from a brief web search, and the fallback get_generic_seed() certainly
is not either. Granted it's only used on obscure architectures, but
still.

The doxy even says
> This function tries to provide a good seed at a best effort bases.

> You really think that these are significantly worse than
> OpenSSL/GCrypt, so it should not be allowed to fallback to?

I think we should be using cryptographically secure PRNG for generating
encryption keys, or fail when they are not available. If you want to get
rid of the openssl dependency, IMO the best solution is a new
  int av_random(uint8_t* buf, size_t len);
that guarantees either cryptographically secure randomness or an error.
Marton Balint July 3, 2023, 9:52 p.m. UTC | #8 
On Mon, 3 Jul 2023, Anton Khirnov wrote:

> Quoting Marton Balint (2023-07-03 22:54:41)
>> On Mon, 3 Jul 2023, Anton Khirnov wrote:
>> My patch use av_get_random_seed() which uses what the underlying OS
>> provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for
>> BSD/Mac.
>
> IOW it's a jungle of various paths, some of which are not guaranteed to
> be cryptographically secure. I see no such guarantees for arc4random()

It depends on OS and version most likely.

> from a brief web search, and the fallback get_generic_seed() certainly
> is not either.
> Granted it's only used on obscure architectures, but
> still.

I am no expert on the subject, but even the generic code seems reasonably 
secure. It gathers entropy, it uses a crypto hash to get the output. And 
as you said, even that only used for obscure cases.

>
> The doxy even says
>> This function tries to provide a good seed at a best effort bases.
>
>> You really think that these are significantly worse than
>> OpenSSL/GCrypt, so it should not be allowed to fallback to?
>
> I think we should be using cryptographically secure PRNG for generating
> encryption keys, or fail when they are not available. If you want to get
> rid of the openssl dependency, IMO the best solution is a new
>  int av_random(uint8_t* buf, size_t len);
> that guarantees either cryptographically secure randomness or an error.

Sorry, seems a bit overdesign for me, so I won't be pursuing this further.

Regards,
Marton
Michael Niedermayer July 3, 2023, 11:50 p.m. UTC | #9 
On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> Quoting Marton Balint (2023-07-03 22:54:41)
> > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > My patch use av_get_random_seed() which uses what the underlying OS 
> > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > BSD/Mac.
> 
> IOW it's a jungle of various paths, some of which are not guaranteed to
> be cryptographically secure. I see no such guarantees for arc4random()
> from a brief web search, and the fallback get_generic_seed() certainly
> is not either. Granted it's only used on obscure architectures, but
> still.
> 
> The doxy even says
> > This function tries to provide a good seed at a best effort bases.
> 
> > You really think that these are significantly worse than
> > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> 
> I think we should be using cryptographically secure PRNG for generating
> encryption keys, or fail when they are not available. If you want to get
> rid of the openssl dependency, IMO the best solution is a new
>   int av_random(uint8_t* buf, size_t len);
> that guarantees either cryptographically secure randomness or an error.

"guarantees cryptographically secure randomness" ?
If one defined "cryptographically secure" as "not broken publically as of today"

Iam saying that as i think "guarantees" can be misleading in what it means

thx

[...]
Anton Khirnov July 4, 2023, 5:54 a.m. UTC | #10 
Quoting Michael Niedermayer (2023-07-04 01:50:57)
> On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > Quoting Marton Balint (2023-07-03 22:54:41)
> > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > BSD/Mac.
> > 
> > IOW it's a jungle of various paths, some of which are not guaranteed to
> > be cryptographically secure. I see no such guarantees for arc4random()
> > from a brief web search, and the fallback get_generic_seed() certainly
> > is not either. Granted it's only used on obscure architectures, but
> > still.
> > 
> > The doxy even says
> > > This function tries to provide a good seed at a best effort bases.
> > 
> > > You really think that these are significantly worse than
> > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > 
> > I think we should be using cryptographically secure PRNG for generating
> > encryption keys, or fail when they are not available. If you want to get
> > rid of the openssl dependency, IMO the best solution is a new
> >   int av_random(uint8_t* buf, size_t len);
> > that guarantees either cryptographically secure randomness or an error.
> 
> "guarantees cryptographically secure randomness" ?
> If one defined "cryptographically secure" as "not broken publically as of today"
> 
> Iam saying that as i think "guarantees" can be misleading in what it means

I feel your snark is very much misplaced.

I recall way more instances of broken crypto caused by overconfident
non-experts with an attitude like yours ("those silly crypto libraries,
broken all the time, how hard can it be really") than by actual
vulnerabilities in actual crypto libraries.

In fact the highest-profile break I remember (Debian key entropy bug)
was caused precisely by non-experts fiddling with code they did not
understand.
Kieran Kunhya July 4, 2023, 9:08 a.m. UTC | #11 
On Tue, 4 Jul 2023 at 06:54, Anton Khirnov <anton@khirnov.net> wrote:

> Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > My patch use av_get_random_seed() which uses what the underlying OS
> > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random()
> for
> > > > BSD/Mac.
> > >
> > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > be cryptographically secure. I see no such guarantees for arc4random()
> > > from a brief web search, and the fallback get_generic_seed() certainly
> > > is not either. Granted it's only used on obscure architectures, but
> > > still.
> > >
> > > The doxy even says
> > > > This function tries to provide a good seed at a best effort bases.
> > >
> > > > You really think that these are significantly worse than
> > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > >
> > > I think we should be using cryptographically secure PRNG for generating
> > > encryption keys, or fail when they are not available. If you want to
> get
> > > rid of the openssl dependency, IMO the best solution is a new
> > >   int av_random(uint8_t* buf, size_t len);
> > > that guarantees either cryptographically secure randomness or an error.
> >
> > "guarantees cryptographically secure randomness" ?
> > If one defined "cryptographically secure" as "not broken publically as
> of today"
> >
> > Iam saying that as i think "guarantees" can be misleading in what it
> means
>
> I feel your snark is very much misplaced.
>
> I recall way more instances of broken crypto caused by overconfident
> non-experts with an attitude like yours ("those silly crypto libraries,
> broken all the time, how hard can it be really") than by actual
> vulnerabilities in actual crypto libraries.
>
> In fact the highest-profile break I remember (Debian key entropy bug)
> was caused precisely by non-experts fiddling with code they did not
> understand.
>

+1

Kieran
James Almer July 4, 2023, 2:37 p.m. UTC | #12 
On 7/4/2023 2:54 AM, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-07-04 01:50:57)
>> On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
>>> Quoting Marton Balint (2023-07-03 22:54:41)
>>>> On Mon, 3 Jul 2023, Anton Khirnov wrote:
>>>> My patch use av_get_random_seed() which uses what the underlying OS
>>>> provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for
>>>> BSD/Mac.
>>>
>>> IOW it's a jungle of various paths, some of which are not guaranteed to
>>> be cryptographically secure. I see no such guarantees for arc4random()
>>> from a brief web search, and the fallback get_generic_seed() certainly
>>> is not either. Granted it's only used on obscure architectures, but
>>> still.
>>>
>>> The doxy even says
>>>> This function tries to provide a good seed at a best effort bases.
>>>
>>>> You really think that these are significantly worse than
>>>> OpenSSL/GCrypt, so it should not be allowed to fallback to?
>>>
>>> I think we should be using cryptographically secure PRNG for generating
>>> encryption keys, or fail when they are not available. If you want to get
>>> rid of the openssl dependency, IMO the best solution is a new
>>>    int av_random(uint8_t* buf, size_t len);
>>> that guarantees either cryptographically secure randomness or an error.
>>
>> "guarantees cryptographically secure randomness" ?
>> If one defined "cryptographically secure" as "not broken publically as of today"
>>
>> Iam saying that as i think "guarantees" can be misleading in what it means
> 
> I feel your snark is very much misplaced.
> 
> I recall way more instances of broken crypto caused by overconfident
> non-experts with an attitude like yours ("those silly crypto libraries,
> broken all the time, how hard can it be really") than by actual
> vulnerabilities in actual crypto libraries.
> 
> In fact the highest-profile break I remember (Debian key entropy bug)
> was caused precisely by non-experts fiddling with code they did not
> understand.

Maybe the gcrypt and openssl API calls used here can instead be moved to 
av_get_random_seed(), which would reduce (or outright remove) the cases 
/dev/random or get_generic_seed() are called and result in essentially 
no changes to this functionality here?
Anton Khirnov July 4, 2023, 3:31 p.m. UTC | #13 
Quoting James Almer (2023-07-04 16:37:03)
> On 7/4/2023 2:54 AM, Anton Khirnov wrote:
> > Quoting Michael Niedermayer (2023-07-04 01:50:57)
> >> On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> >>> Quoting Marton Balint (2023-07-03 22:54:41)
> >>>> On Mon, 3 Jul 2023, Anton Khirnov wrote:
> >>>> My patch use av_get_random_seed() which uses what the underlying OS
> >>>> provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for
> >>>> BSD/Mac.
> >>>
> >>> IOW it's a jungle of various paths, some of which are not guaranteed to
> >>> be cryptographically secure. I see no such guarantees for arc4random()
> >>> from a brief web search, and the fallback get_generic_seed() certainly
> >>> is not either. Granted it's only used on obscure architectures, but
> >>> still.
> >>>
> >>> The doxy even says
> >>>> This function tries to provide a good seed at a best effort bases.
> >>>
> >>>> You really think that these are significantly worse than
> >>>> OpenSSL/GCrypt, so it should not be allowed to fallback to?
> >>>
> >>> I think we should be using cryptographically secure PRNG for generating
> >>> encryption keys, or fail when they are not available. If you want to get
> >>> rid of the openssl dependency, IMO the best solution is a new
> >>>    int av_random(uint8_t* buf, size_t len);
> >>> that guarantees either cryptographically secure randomness or an error.
> >>
> >> "guarantees cryptographically secure randomness" ?
> >> If one defined "cryptographically secure" as "not broken publically as of today"
> >>
> >> Iam saying that as i think "guarantees" can be misleading in what it means
> > 
> > I feel your snark is very much misplaced.
> > 
> > I recall way more instances of broken crypto caused by overconfident
> > non-experts with an attitude like yours ("those silly crypto libraries,
> > broken all the time, how hard can it be really") than by actual
> > vulnerabilities in actual crypto libraries.
> > 
> > In fact the highest-profile break I remember (Debian key entropy bug)
> > was caused precisely by non-experts fiddling with code they did not
> > understand.
> 
> Maybe the gcrypt and openssl API calls used here can instead be moved to 
> av_get_random_seed(), which would reduce (or outright remove) the cases 
> /dev/random or get_generic_seed() are called and result in essentially 

I see nothing wrong with using /dev/random, it's probably the most
trustworthy source on most machines. Though on linux it's probably
even better to use getrandom() where available.
James Almer July 4, 2023, 7:02 p.m. UTC | #14 
On 7/3/2023 6:52 PM, Marton Balint wrote:
> 
> 
> On Mon, 3 Jul 2023, Anton Khirnov wrote:
> 
>> Quoting Marton Balint (2023-07-03 22:54:41)
>>> On Mon, 3 Jul 2023, Anton Khirnov wrote:
>>> My patch use av_get_random_seed() which uses what the underlying OS
>>> provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for
>>> BSD/Mac.
>>
>> IOW it's a jungle of various paths, some of which are not guaranteed to
>> be cryptographically secure. I see no such guarantees for arc4random()
> 
> It depends on OS and version most likely.
> 
>> from a brief web search, and the fallback get_generic_seed() certainly
>> is not either.
>> Granted it's only used on obscure architectures, but
>> still.
> 
> I am no expert on the subject, but even the generic code seems 
> reasonably secure. It gathers entropy, it uses a crypto hash to get the 
> output. And as you said, even that only used for obscure cases.
> 
>>
>> The doxy even says
>>> This function tries to provide a good seed at a best effort bases.
>>
>>> You really think that these are significantly worse than
>>> OpenSSL/GCrypt, so it should not be allowed to fallback to?
>>
>> I think we should be using cryptographically secure PRNG for generating
>> encryption keys, or fail when they are not available. If you want to get
>> rid of the openssl dependency, IMO the best solution is a new
>>  int av_random(uint8_t* buf, size_t len);
>> that guarantees either cryptographically secure randomness or an error.
> 
> Sorry, seems a bit overdesign for me, so I won't be pursuing this further.

I just sent a patchset implementing a new av_random() function that uses 
the existing av_get_random_seed() entropy sources, and adds the ones 
used by hlsenc too.
If that goes in, then this patchset can go in as well afterwards.
Marton Balint July 4, 2023, 7:30 p.m. UTC | #15 
On Tue, 4 Jul 2023, James Almer wrote:

> On 7/3/2023 6:52 PM, Marton Balint wrote:
>>
>>
>>  On Mon, 3 Jul 2023, Anton Khirnov wrote:
>>
>>>  Quoting Marton Balint (2023-07-03 22:54:41)
>>>>  On Mon, 3 Jul 2023, Anton Khirnov wrote:
>>>>  My patch use av_get_random_seed() which uses what the underlying OS
>>>>  provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for
>>>>  BSD/Mac.
>>>
>>>  IOW it's a jungle of various paths, some of which are not guaranteed to
>>>  be cryptographically secure. I see no such guarantees for arc4random()
>>
>>  It depends on OS and version most likely.
>>
>>>  from a brief web search, and the fallback get_generic_seed() certainly
>>>  is not either.
>>>  Granted it's only used on obscure architectures, but
>>>  still.
>>
>>  I am no expert on the subject, but even the generic code seems reasonably
>>  secure. It gathers entropy, it uses a crypto hash to get the output. And
>>  as you said, even that only used for obscure cases.
>> 
>>>
>>>  The doxy even says
>>>>  This function tries to provide a good seed at a best effort bases.
>>>
>>>>  You really think that these are significantly worse than
>>>>  OpenSSL/GCrypt, so it should not be allowed to fallback to?
>>>
>>>  I think we should be using cryptographically secure PRNG for generating
>>>  encryption keys, or fail when they are not available. If you want to get
>>>  rid of the openssl dependency, IMO the best solution is a new
>>>   int av_random(uint8_t* buf, size_t len);
>>>  that guarantees either cryptographically secure randomness or an error.
>>
>>  Sorry, seems a bit overdesign for me, so I won't be pursuing this further.
>
> I just sent a patchset implementing a new av_random() function that uses the 
> existing av_get_random_seed() entropy sources, and adds the ones used by 
> hlsenc too.
> If that goes in, then this patchset can go in as well afterwards.

Thanks! I will rework the patch to use av_random() then.

Regards,
Marton
Michael Niedermayer July 4, 2023, 11:50 p.m. UTC | #16 
On Tue, Jul 04, 2023 at 07:54:06AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > > BSD/Mac.
> > > 
> > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > be cryptographically secure. I see no such guarantees for arc4random()
> > > from a brief web search, and the fallback get_generic_seed() certainly
> > > is not either. Granted it's only used on obscure architectures, but
> > > still.
> > > 
> > > The doxy even says
> > > > This function tries to provide a good seed at a best effort bases.
> > > 
> > > > You really think that these are significantly worse than
> > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > > 
> > > I think we should be using cryptographically secure PRNG for generating
> > > encryption keys, or fail when they are not available. If you want to get
> > > rid of the openssl dependency, IMO the best solution is a new
> > >   int av_random(uint8_t* buf, size_t len);
> > > that guarantees either cryptographically secure randomness or an error.
> > 
> > "guarantees cryptographically secure randomness" ?
> > If one defined "cryptographically secure" as "not broken publically as of today"
> > 
> > Iam saying that as i think "guarantees" can be misleading in what it means
> 
> I feel your snark is very much misplaced.
> 

> I recall way more instances of broken crypto caused by overconfident
> non-experts with an attitude like yours ("those silly crypto libraries,
> broken all the time, how hard can it be really") than by actual
> vulnerabilities in actual crypto libraries.
> 
> In fact the highest-profile break I remember (Debian key entropy bug)
> was caused precisely by non-experts fiddling with code they did not
> understand.

There is no snark here, at least that was not the intend
Also what you say in these 2 paragraphs is true but isnt really
related to what i said or meant to say

these cryptographically secure PRNGS are secure as long as the
currently used components and assumtations they are build on havnt
been broken.
Can i do better? no. but that doesnt mean that these
are going to be unbroken in 30 years.
just look 30 years in the past what percentage of what was believed to
be secure 30 years ago has been broken today. or 50 or 100years
thats really what i meant

thx

[...]
Anton Khirnov July 5, 2023, 9:22 a.m. UTC | #17 
Quoting Michael Niedermayer (2023-07-05 01:50:12)
> On Tue, Jul 04, 2023 at 07:54:06AM +0200, Anton Khirnov wrote:
> > Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > > > BSD/Mac.
> > > > 
> > > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > > be cryptographically secure. I see no such guarantees for arc4random()
> > > > from a brief web search, and the fallback get_generic_seed() certainly
> > > > is not either. Granted it's only used on obscure architectures, but
> > > > still.
> > > > 
> > > > The doxy even says
> > > > > This function tries to provide a good seed at a best effort bases.
> > > > 
> > > > > You really think that these are significantly worse than
> > > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > > > 
> > > > I think we should be using cryptographically secure PRNG for generating
> > > > encryption keys, or fail when they are not available. If you want to get
> > > > rid of the openssl dependency, IMO the best solution is a new
> > > >   int av_random(uint8_t* buf, size_t len);
> > > > that guarantees either cryptographically secure randomness or an error.
> > > 
> > > "guarantees cryptographically secure randomness" ?
> > > If one defined "cryptographically secure" as "not broken publically as of today"
> > > 
> > > Iam saying that as i think "guarantees" can be misleading in what it means
> > 
> > I feel your snark is very much misplaced.
> > 
> 
> > I recall way more instances of broken crypto caused by overconfident
> > non-experts with an attitude like yours ("those silly crypto libraries,
> > broken all the time, how hard can it be really") than by actual
> > vulnerabilities in actual crypto libraries.
> > 
> > In fact the highest-profile break I remember (Debian key entropy bug)
> > was caused precisely by non-experts fiddling with code they did not
> > understand.
> 
> There is no snark here, at least that was not the intend
> Also what you say in these 2 paragraphs is true but isnt really
> related to what i said or meant to say
> 
> these cryptographically secure PRNGS are secure as long as the
> currently used components and assumtations they are build on havnt
> been broken.
> Can i do better? no. but that doesnt mean that these
> are going to be unbroken in 30 years.
> just look 30 years in the past what percentage of what was believed to
> be secure 30 years ago has been broken today. or 50 or 100years
> thats really what i meant

I still don't see what point are you trying to make here.
Yes, any practical cryptographic algorithm could potentially be broken
at some point. And everything in real life is imperfect, because we do
not live in the world of ideal forms.
But I don't see what practical steps could or should be taken in
response to this.
Michael Niedermayer July 5, 2023, 10:54 p.m. UTC | #18 
On Wed, Jul 05, 2023 at 11:22:44AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-07-05 01:50:12)
> > On Tue, Jul 04, 2023 at 07:54:06AM +0200, Anton Khirnov wrote:
> > > Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > > > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > > > > BSD/Mac.
> > > > > 
> > > > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > > > be cryptographically secure. I see no such guarantees for arc4random()
> > > > > from a brief web search, and the fallback get_generic_seed() certainly
> > > > > is not either. Granted it's only used on obscure architectures, but
> > > > > still.
> > > > > 
> > > > > The doxy even says
> > > > > > This function tries to provide a good seed at a best effort bases.
> > > > > 
> > > > > > You really think that these are significantly worse than
> > > > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > > > > 
> > > > > I think we should be using cryptographically secure PRNG for generating
> > > > > encryption keys, or fail when they are not available. If you want to get
> > > > > rid of the openssl dependency, IMO the best solution is a new
> > > > >   int av_random(uint8_t* buf, size_t len);
> > > > > that guarantees either cryptographically secure randomness or an error.
> > > > 
> > > > "guarantees cryptographically secure randomness" ?
> > > > If one defined "cryptographically secure" as "not broken publically as of today"
> > > > 
> > > > Iam saying that as i think "guarantees" can be misleading in what it means
> > > 
> > > I feel your snark is very much misplaced.
> > > 
> > 
> > > I recall way more instances of broken crypto caused by overconfident
> > > non-experts with an attitude like yours ("those silly crypto libraries,
> > > broken all the time, how hard can it be really") than by actual
> > > vulnerabilities in actual crypto libraries.
> > > 
> > > In fact the highest-profile break I remember (Debian key entropy bug)
> > > was caused precisely by non-experts fiddling with code they did not
> > > understand.
> > 
> > There is no snark here, at least that was not the intend
> > Also what you say in these 2 paragraphs is true but isnt really
> > related to what i said or meant to say
> > 
> > these cryptographically secure PRNGS are secure as long as the
> > currently used components and assumtations they are build on havnt
> > been broken.
> > Can i do better? no. but that doesnt mean that these
> > are going to be unbroken in 30 years.
> > just look 30 years in the past what percentage of what was believed to
> > be secure 30 years ago has been broken today. or 50 or 100years
> > thats really what i meant
> 
> I still don't see what point are you trying to make here.
> Yes, any practical cryptographic algorithm could potentially be broken
> at some point. And everything in real life is imperfect, because we do
> not live in the world of ideal forms.

> But I don't see what practical steps could or should be taken in
> response to this.

for us i dont know but a user could
instead of putting critical data in a system that might be broken in 30 years
just write it down on paper and burn and grind the paper when its not needed anymore
(which may or may not be an option)

nothing is perfect but there are methods to transfer and destroy data which have a
long track record of being secure and are simple.

I think we should not make it sound like encrypting with these random numbers
is as good as not storing/transmitting or using bits from fliping a real fair coin

thx

[...]
Anton Khirnov July 6, 2023, 7:52 a.m. UTC | #19 
Quoting Michael Niedermayer (2023-07-06 00:54:47)
> On Wed, Jul 05, 2023 at 11:22:44AM +0200, Anton Khirnov wrote:
> > Quoting Michael Niedermayer (2023-07-05 01:50:12)
> > > On Tue, Jul 04, 2023 at 07:54:06AM +0200, Anton Khirnov wrote:
> > > > Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > > > > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > > > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > > > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > > > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > > > > > BSD/Mac.
> > > > > > 
> > > > > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > > > > be cryptographically secure. I see no such guarantees for arc4random()
> > > > > > from a brief web search, and the fallback get_generic_seed() certainly
> > > > > > is not either. Granted it's only used on obscure architectures, but
> > > > > > still.
> > > > > > 
> > > > > > The doxy even says
> > > > > > > This function tries to provide a good seed at a best effort bases.
> > > > > > 
> > > > > > > You really think that these are significantly worse than
> > > > > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > > > > > 
> > > > > > I think we should be using cryptographically secure PRNG for generating
> > > > > > encryption keys, or fail when they are not available. If you want to get
> > > > > > rid of the openssl dependency, IMO the best solution is a new
> > > > > >   int av_random(uint8_t* buf, size_t len);
> > > > > > that guarantees either cryptographically secure randomness or an error.
> > > > > 
> > > > > "guarantees cryptographically secure randomness" ?
> > > > > If one defined "cryptographically secure" as "not broken publically as of today"
> > > > > 
> > > > > Iam saying that as i think "guarantees" can be misleading in what it means
> > > > 
> > > > I feel your snark is very much misplaced.
> > > > 
> > > 
> > > > I recall way more instances of broken crypto caused by overconfident
> > > > non-experts with an attitude like yours ("those silly crypto libraries,
> > > > broken all the time, how hard can it be really") than by actual
> > > > vulnerabilities in actual crypto libraries.
> > > > 
> > > > In fact the highest-profile break I remember (Debian key entropy bug)
> > > > was caused precisely by non-experts fiddling with code they did not
> > > > understand.
> > > 
> > > There is no snark here, at least that was not the intend
> > > Also what you say in these 2 paragraphs is true but isnt really
> > > related to what i said or meant to say
> > > 
> > > these cryptographically secure PRNGS are secure as long as the
> > > currently used components and assumtations they are build on havnt
> > > been broken.
> > > Can i do better? no. but that doesnt mean that these
> > > are going to be unbroken in 30 years.
> > > just look 30 years in the past what percentage of what was believed to
> > > be secure 30 years ago has been broken today. or 50 or 100years
> > > thats really what i meant
> > 
> > I still don't see what point are you trying to make here.
> > Yes, any practical cryptographic algorithm could potentially be broken
> > at some point. And everything in real life is imperfect, because we do
> > not live in the world of ideal forms.
> 
> > But I don't see what practical steps could or should be taken in
> > response to this.
> 
> for us i dont know but a user could
> instead of putting critical data in a system that might be broken in 30 years
> just write it down on paper and burn and grind the paper when its not needed anymore
> (which may or may not be an option)
> 
> nothing is perfect but there are methods to transfer and destroy data which have a
> long track record of being secure and are simple.
> 
> I think we should not make it sound like encrypting with these random numbers
> is as good as not storing/transmitting or using bits from fliping a real fair coin

We are not claiming that. We are claiming that the random numbers
generated are (to the best of our ability, and that of the underlying
libraries we rely on) cryptographically secure. This means suitable for
use in state of the art cryptographic algorithms like AES.
I do not think it makes sense to mistrust CSPRNGs, yet still trust AES.
Kieran Kunhya July 6, 2023, 11:34 p.m. UTC | #20 
On Thu, 6 Jul 2023, 08:52 Anton Khirnov, <anton@khirnov.net> wrote:

>
> We are not claiming that. We are claiming that the random numbers
> generated are (to the best of our ability, and that of the underlying
> libraries we rely on) cryptographically secure. This means suitable for
> use in state of the art cryptographic algorithms like AES.
> I do not think it makes sense to mistrust CSPRNGs, yet still trust AES.


Agreed, I don't think it's ffmpeg's job to get into a philosophical
discussion about the state of the art of random number generation.

Kieran

> ".
>
Michael Niedermayer July 7, 2023, 12:55 a.m. UTC | #21 
On Thu, Jul 06, 2023 at 09:52:12AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-07-06 00:54:47)
> > On Wed, Jul 05, 2023 at 11:22:44AM +0200, Anton Khirnov wrote:
> > > Quoting Michael Niedermayer (2023-07-05 01:50:12)
> > > > On Tue, Jul 04, 2023 at 07:54:06AM +0200, Anton Khirnov wrote:
> > > > > Quoting Michael Niedermayer (2023-07-04 01:50:57)
> > > > > > On Mon, Jul 03, 2023 at 11:09:54PM +0200, Anton Khirnov wrote:
> > > > > > > Quoting Marton Balint (2023-07-03 22:54:41)
> > > > > > > > On Mon, 3 Jul 2023, Anton Khirnov wrote:
> > > > > > > > My patch use av_get_random_seed() which uses what the underlying OS 
> > > > > > > > provides, BCrypt for Windows, /dev/urandom for Linux, arc4random() for 
> > > > > > > > BSD/Mac.
> > > > > > > 
> > > > > > > IOW it's a jungle of various paths, some of which are not guaranteed to
> > > > > > > be cryptographically secure. I see no such guarantees for arc4random()
> > > > > > > from a brief web search, and the fallback get_generic_seed() certainly
> > > > > > > is not either. Granted it's only used on obscure architectures, but
> > > > > > > still.
> > > > > > > 
> > > > > > > The doxy even says
> > > > > > > > This function tries to provide a good seed at a best effort bases.
> > > > > > > 
> > > > > > > > You really think that these are significantly worse than
> > > > > > > > OpenSSL/GCrypt, so it should not be allowed to fallback to?
> > > > > > > 
> > > > > > > I think we should be using cryptographically secure PRNG for generating
> > > > > > > encryption keys, or fail when they are not available. If you want to get
> > > > > > > rid of the openssl dependency, IMO the best solution is a new
> > > > > > >   int av_random(uint8_t* buf, size_t len);
> > > > > > > that guarantees either cryptographically secure randomness or an error.
> > > > > > 
> > > > > > "guarantees cryptographically secure randomness" ?
> > > > > > If one defined "cryptographically secure" as "not broken publically as of today"
> > > > > > 
> > > > > > Iam saying that as i think "guarantees" can be misleading in what it means
> > > > > 
> > > > > I feel your snark is very much misplaced.
> > > > > 
> > > > 
> > > > > I recall way more instances of broken crypto caused by overconfident
> > > > > non-experts with an attitude like yours ("those silly crypto libraries,
> > > > > broken all the time, how hard can it be really") than by actual
> > > > > vulnerabilities in actual crypto libraries.
> > > > > 
> > > > > In fact the highest-profile break I remember (Debian key entropy bug)
> > > > > was caused precisely by non-experts fiddling with code they did not
> > > > > understand.
> > > > 
> > > > There is no snark here, at least that was not the intend
> > > > Also what you say in these 2 paragraphs is true but isnt really
> > > > related to what i said or meant to say
> > > > 
> > > > these cryptographically secure PRNGS are secure as long as the
> > > > currently used components and assumtations they are build on havnt
> > > > been broken.
> > > > Can i do better? no. but that doesnt mean that these
> > > > are going to be unbroken in 30 years.
> > > > just look 30 years in the past what percentage of what was believed to
> > > > be secure 30 years ago has been broken today. or 50 or 100years
> > > > thats really what i meant
> > > 
> > > I still don't see what point are you trying to make here.
> > > Yes, any practical cryptographic algorithm could potentially be broken
> > > at some point. And everything in real life is imperfect, because we do
> > > not live in the world of ideal forms.
> > 
> > > But I don't see what practical steps could or should be taken in
> > > response to this.
> > 
> > for us i dont know but a user could
> > instead of putting critical data in a system that might be broken in 30 years
> > just write it down on paper and burn and grind the paper when its not needed anymore
> > (which may or may not be an option)
> > 
> > nothing is perfect but there are methods to transfer and destroy data which have a
> > long track record of being secure and are simple.
> > 
> > I think we should not make it sound like encrypting with these random numbers
> > is as good as not storing/transmitting or using bits from fliping a real fair coin
> 
> We are not claiming that. We are claiming that the random numbers
> generated are (to the best of our ability, and that of the underlying
> libraries we rely on) cryptographically secure. This means suitable for
> use in state of the art cryptographic algorithms like AES.
> I do not think it makes sense to mistrust CSPRNGs, yet still trust AES.

The litteral wording was
"that guarantees either cryptographically secure randomness or an error."

that was what i refered to.

the wording used now:
"to the best of our ability, and that of the underlying libraries we rely on) cryptographically secure."

is perfectly fine with me.
I would have the same issue if someone said AES gurantees ...

thx


[...]
Anton Khirnov July 7, 2023, 8:05 a.m. UTC | #22 
Quoting Michael Niedermayer (2023-07-07 02:55:46)
> 
> The litteral wording was
> "that guarantees either cryptographically secure randomness or an error."
> 
> that was what i refered to.
> 
> the wording used now:
> "to the best of our ability, and that of the underlying libraries we rely on) cryptographically secure."
> 
> is perfectly fine with me.
> I would have the same issue if someone said AES gurantees ...

IMO the two formulations are equivalent whenever it comes to practical
computing. An algorithm can be mathematically proven to be sound*, but
any practical computing scheme on actual hardware is always subject to
software bugs, system misconfiguration, hardware bugs, hardware failure,
etc.

We use similar wording in other documentation, where e.g. we might
guarantee that some function returns a NULL-terminated string or so.
That guarantee is always under the implicit condition that there are no
bugs and the code runs in the expected environment. The same
considerations apply here.

* assuming there are no bugs in your proof
Michael Niedermayer July 7, 2023, 2:42 p.m. UTC | #23 
On Fri, Jul 07, 2023 at 10:05:50AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-07-07 02:55:46)
> > 
> > The litteral wording was
> > "that guarantees either cryptographically secure randomness or an error."
> > 
> > that was what i refered to.
> > 
> > the wording used now:
> > "to the best of our ability, and that of the underlying libraries we rely on) cryptographically secure."
> > 
> > is perfectly fine with me.
> > I would have the same issue if someone said AES gurantees ...
> 
> IMO the two formulations are equivalent whenever it comes to practical
> computing. An algorithm can be mathematically proven to be sound*, but
> any practical computing scheme on actual hardware is always subject to
> software bugs, system misconfiguration, hardware bugs, hardware failure,
> etc.
>

> We use similar wording in other documentation, where e.g. we might
> guarantee that some function returns a NULL-terminated string or so.
> That guarantee is always under the implicit condition that there are no
> bugs and the code runs in the expected environment. The same
> considerations apply here.

Theres a big difference between a bug in our implementation
And us claiming some cryptographic primitive is secure.
It was said previously that we shouldnt do things we lack the experties
on and rather delegate to cryptographic libraries writen and audited by
experts. (where it matters for security not just for playback)
But claiming CSPRNG or AES or anything else is guranteed secure is
exactly such a claim that is not within our experties.

If you claim your code produces a null terminated string that i believe
you (within the bounds you mentioned) but if you tell me AES will always
be secure i wont believe you that unless you have the mathemtical proofs
to back that up (and i read and understood them).

Now all that flawlessness with security primitives from proper security libs and
stuff needs to be taken with a grain of salt too.
just 4 months ago i found 2 issues with teh random number generator in the hardware
password manager that i use.
So yeah maybe people feels iam too nitpicky here but honestly id rather be nitpicky
on security stuff

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
index 1e0848ce3d..0b22c71186 100644
--- a/libavformat/hlsenc.c
+++ b/libavformat/hlsenc.c
@@ -40,6 +40,7 @@ 
 #include "libavutil/intreadwrite.h"
 #include "libavutil/opt.h"
 #include "libavutil/log.h"
+#include "libavutil/random_seed.h"
 #include "libavutil/time.h"
 #include "libavutil/time_internal.h"
 
@@ -710,18 +711,18 @@  fail:
     return ret;
 }
 
-static int randomize(uint8_t *buf, int len)
+static void randomize(uint8_t *buf, int len)
 {
 #if CONFIG_GCRYPT
     gcry_randomize(buf, len, GCRY_VERY_STRONG_RANDOM);
-    return 0;
+    return;
 #elif CONFIG_OPENSSL
     if (RAND_bytes(buf, len))
-        return 0;
-#else
-    return AVERROR(ENOSYS);
+        return;
 #endif
-    return AVERROR(EINVAL);
+    av_assert0(len % 4 == 0);
+    for (int i = 0; i < len; i += 4)
+        AV_WB32(buf + i, av_get_random_seed());
 }
 
 static int do_encrypt(AVFormatContext *s, VariantStream *vs)
@@ -775,10 +776,7 @@  static int do_encrypt(AVFormatContext *s, VariantStream *vs)
     if (!*hls->key_string) {
         AVDictionary *options = NULL;
         if (!hls->key) {
-            if ((ret = randomize(key, sizeof(key))) < 0) {
-                av_log(s, AV_LOG_ERROR, "Cannot generate a strong random key\n");
-                return ret;
-            }
+            randomize(key, sizeof(key));
         } else {
             memcpy(key, hls->key, sizeof(key));
         }