Re: gen_random_uuid security not explicit in documentation
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Michael Paquier <michael.paquier@gmail.com>, rightfold@gmail.com
Cc: pgsql-docs@postgresql.org
Date: 2017-06-22T18:02:03Z
Lists: pgsql-hackers, pgsql-docs
On 01/03/2017 02:47 PM, Michael Paquier wrote: > (Adding Heikki in CC who committed this code) > > On Mon, Jan 2, 2017 at 8:20 AM, <rightfold@gmail.com> wrote: >> The C source code of gen_random_uuid reads: >> >> /* >> * Generate random bits. pg_backend_random() will do here, we don't >> * promis UUIDs to be cryptographically random, when built with >> * --disable-strong-random. >> */ >> >> However, the pgcrypto documentation does not mention >> --disable-strong-random >> at all. I think the documentation should mention under which conditions >> the function returns secure data. > > That's actually a good idea. But as it does not only apply to > get_random_uuid(), I would think that a notice at the top of the > pgcrypto documentation would make the most sense. Something like: > "If PostgreSQL is built with --disable-strong-random, the data > generated by the functions is not guaranteed to be cryptographically > random." Hmm, not sure what to do here. --disable-strong-random is similar to e.g. --disable-spinlocks; no reasonable production platform would use it. So I'm not inclined to sprinkle references to it across the docs, it seems better to document what it changes, in the description of --disable-strong-random itself. To be pedantic, the documentation only claims that gen_random_bytes() returns cryptographically strong values. For gen_random_uuid(), it just says that it's "random". But yeah, it's subtle. By the feat of having them side-by-side, and a similar name, you'd think that they behave the same. And with --enable-strong-random, they do. I'm inclined to change gen_random_uuid() to throw an error if the server is built with --disable-strong-random, like gen_random_bytes() does. That way, they would behave the same. Thoughts? - Heikki
Commits
-
Forbid gen_random_uuid() with --disable-strong-random
- bf723a274cbb 10.0 landed