[openssl-dev] Plea for a new public OpenSSL RNG API

Kurt Roeckx kurt at roeckx.be
Tue Aug 29 21:39:58 UTC 2017 

On Tue, Aug 29, 2017 at 08:38:09PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> > If, based on its value, OpenSSL may decide that it now got “enough” entropy and doesn’t need to
> > pull more from other sources before serving randomness to requestors – then it is harmful.
> > “Over-confidence” in this value by the caller can negatively impact the quality of the produced
> > random numbers.
>     
>     As long as you have sources that don't provide 1 bit of randomness
>     per bit that you provide you need to have an estimate of how much
>     randomness it really contains. And you should probably seriously
>     underestimate it so that you're sure that you collect enough.
> 
> So let me underestimate it to 0. ;-)  
>   
>     The problem with ignoring an existing parameter is that people
>     could be calling it with for instance the value of 0, knowing it
>     contains as good as none entropy. Or they could feed the unwithened
>     output of an TRNG in that with an estimate of randomness it provides.
>     And OpenSSL used to do the right thing with that.
> 
> I *don’t want* OpenSSL to make *any* estimation of the amount of provided entropy. All I want it to do is to mix these bits into the RNG state. It’s *my* business how much entropy I’m providing – but I don’t want OpenSSL to make any decision regarding pull from other entropy sources based on my input.
> 
> Does it sound reasonable? (He, it does to me ;)

But that is not the API that RAND_add() provides. It's a push not
a pull API. With the DRBG you can do this, assuming using it's an
extraction / derivative function.

One of the suggestions I did before is to have RAND_poll_ex() take
a parameter about how much randomness is needed, but I think it's
also a wrong API and I'm thinking about removing it.

>     But now we just ignore it and assume every bit with get contains 1
>     bit of randomness and we're sundenly seriously overestimating the
>     amount of randomness we're getting.
> 
> If I had my way, you’d assume that every bit contains 0 bits of entropy, but mix it in regardless because that’s what the user is asking you to do.

Which is why I suggested we use this for the additional data. But
I think that as long as we have both APIs we might actually need
it for the entropy input. If there is no other way to add
randomness, RAND_add() is our current documented way to add it,
and it will need to keep working.


Kurt

More information about the openssl-dev mailing list