<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Сергей ,<br class=""><div class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">We are aware that we do not handle the fork(2) system call perfectly. My advice would be to not hold a lock while calling fork(2). OpenSSL, as of 1.1.0, does hold per-process locks itself. The locking callbacks were present in 1.0.2 and before but are now obsolete.</div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Even if it isn’t perfect, OpenSSL does attempt to reseed the DRBG chains when fork(2) is called. This is not designed to meet any of the NIST requirements. Rather it is to ensure that the parent and child processes have different random seed material. High quality random numbers are critical to security — they are the foundation upon which everything else is based. OpenSSL tries to not take any shortcuts here. The DRBG chains are part of the considered solution — the public and private DRBGs are distinct and a compromise of one shouldn’t impact the other; they are also per thread which shouldn’t negatively impact performance (by locking).</div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Спасибо,</div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Pauli</div></div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">(my Русский is very rusty)</div><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">-- <br class="">Dr Paul Dale | Distinguished Architect | Cryptographic Foundations <br class="">Phone +61 7 3031 7217<br class="">Oracle Australia</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 28 Aug 2019, at 6:51 pm, Сергей Юнаковский <<a href="mailto:lein360@gmail.com" class="">lein360@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hello,<div class="">I have a question regarding the usage of the master DRBG during the fork operation. As far as I understand from the source code and articles, during the fork the library will perform the lock of the master DRBG to obtain the entropy for public and private DRBG. </div><div class="">However, the library does not perform the check of the lock state itself and it is unclear for me, what will happen if the master DRBG is locked during the creation of the fork process. </div><div class=""><br class=""></div><div class="">Additionally, what was the purpose of such complicated scheme for DRBGs except for NIST requirements? Is it possible to solve fork problem without implementing the chain of DRBGs?</div><div class=""><br class=""></div><div class="">Can you please help with this?</div><div class=""><br class=""></div><div class="">Articles:</div><div class=""><a href="https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html" target="_blank" class="">https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html</a><br class=""></div><div class=""><a href="http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/" target="_blank" class="">http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/</a><br class=""></div><div class=""><a href="https://wiki.openssl.org/index.php/Random_fork-safety" target="_blank" class="">https://wiki.openssl.org/index.php/Random_fork-safety</a><br class=""></div><div class=""><br class=""></div><div class="">Here is the code from the rand_lib.c:</div><div class=""><div style="color:rgb(248,248,242);background-color:rgb(25,25,25);font-family:"Fira Code",Consolas,"Courier New",monospace;font-size:14px;line-height:19px;white-space:pre-wrap" class=""><div class=""> <span style="color:rgb(140,218,255)" class="">rand_drbg_lock</span>(<span style="color:rgb(233,253,172)" class="">drbg</span>-><span style="color:rgb(233,253,172)" class="">parent</span>);</div><div class=""> <span style="color:rgb(255,94,94)" class="">if</span> (<span style="color:rgb(140,218,255)" class="">RAND_DRBG_generate</span>(<span style="color:rgb(233,253,172)" class="">drbg</span>-><span style="color:rgb(233,253,172)" class="">parent</span>,</div><div class=""> buffer, bytes_needed,</div><div class=""> prediction_resistance,</div><div class=""> <span style="color:rgb(255,137,66)" class="">NULL</span>, <span style="color:rgb(253,176,130)" class="">0</span>) <span style="color:rgb(255,94,94)" class="">!=</span> <span style="color:rgb(253,176,130)" class="">0</span>)</div><div class=""> bytes <span style="color:rgb(255,94,94)" class="">=</span> bytes_needed;</div><div class=""> <span style="color:rgb(233,253,172)" class="">drbg</span>-><span style="color:rgb(233,253,172)" class="">reseed_next_counter</span></div><div class=""> <span style="color:rgb(255,94,94)" class="">=</span> <span style="color:rgb(140,218,255)" class="">tsan_load</span>(<span style="color:rgb(255,94,94)" class="">&</span><span style="color:rgb(233,253,172)" class="">drbg</span>-><span style="color:rgb(233,253,172)" class="">parent</span>-><span style="color:rgb(233,253,172)" class="">reseed_prop_counter</span>);</div><div class=""> <span style="color:rgb(140,218,255)" class="">rand_drbg_unlock</span>(<span style="color:rgb(233,253,172)" class="">drbg</span>-><span style="color:rgb(233,253,172)" class="">parent</span>);</div></div></div></div>
</div></blockquote></div><br class=""></body></html>