[pkg-gnupg-maint] Bug#851298: 10 second delay on first ssh use (sleeps in agent_libgcrypt_progress_cb)

Peter Palfrader weasel at debian.org
Fri Jan 13 19:02:33 UTC 2017 

Package: gnupg-agent
Version: 2.1.17-2
Severity: normal

I am using gpg-agent as my ssh agent.  When I do my first ssh connection
on a newly started agent, then after having entered the passphrase into
a pinentry, there is about a 10 second delay.

It turns out, gpg-agent is "busy" collecting randomness:

> [pid  2378] select(9, [8], NULL, NULL, {tv_sec=0, tv_usec=100000}) = 1 (in [8], left {tv_sec=0, tv_usec=99990})
> [pid  2378] getrandom("\257A\325\337\206\370\35\201[\305\212\241s\2$\262\306\347\232\201\n\377\25hmq\251_\227\217\343\371"..., 90, 0) = 90
> [pid  2378] nanosleep({tv_sec=0, tv_nsec=114131000}, NULL) = 0
> [pid  2378] nanosleep({tv_sec=0, tv_nsec=114131000}, NULL) = 0
> [pid  2378] select(9, [8], NULL, NULL, {tv_sec=0, tv_usec=100000}) = 1 (in [8], left {tv_sec=0, tv_usec=99998})
> [pid  2378] getrandom("u\314\v\272\361\3625\3\232?MJ\22\347\271Rv\357\335\fT\246\207\23m\2511Z\32Q\2\334"..., 90, 0) = 90
> [pid  2378] nanosleep({tv_sec=0, tv_nsec=114131000}, NULL) = 0
> [pid  2378] nanosleep({tv_sec=0, tv_nsec=114131000}, NULL) = 0
> [pid  2378] select(9, [8], NULL, NULL, {tv_sec=0, tv_usec=100000}) = 1 (in [8], left {tv_sec=0, tv_usec=99998})

So it's nanosleeping in 100ms increments for about 10 seconds.

The thing that does the sleeping is agent_libgcrypt_progress_cb() in agent/gpg-agent.c:

>   /* Libgcrypt < 1.8 does not know about nPth and thus when it reads
>    * from /dev/random this will block the process.  To mitigate this
>    * problem we take a short nap when Libgcrypt tells us that it needs
>    * more entropy.  This way other threads have chance to run.  */
> #if GCRYPT_VERSION_NUMBER < 0x010800 /* 1.8.0 */
>   if (what && !strcmp (what, "need_entropy"))
>     npth_usleep (114131); /* 100ms */
> #endif

[the original code has 100000 there instead of 114131 -- I made that change to
 verify it's this code that does the sleeping.]


I would expect my ssh and thus my gpg-agent to be fast, not spend 10
seconds in sleeps when I want things to happen.


Commenting out these 2-4 lines makes my first ssh connection as fast as
I can provide the passphrase to pinentry, as it should be.

I suspect the callback shouldn't try to sleep if the entropy is being
read from a non-blocking source, or maybe the callback shouldn't be
called in such cases in the first place.  Another option, if the sleep
is considered important, is to maybe cut it down by an order of
magnitude or two.

Cheers,
weasel
-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

More information about the pkg-gnupg-maint mailing list