[openssl-dev] Work on a new RNG for OpenSSL
Kurt Roeckx
kurt at roeckx.be
Tue Jun 27 21:51:23 UTC 2017
On Tue, Jun 27, 2017 at 11:56:04AM -0700, John Denker via openssl-dev wrote:
> On 06/27/2017 02:28 AM, Matt Caswell wrote:
> >>
> >> I also agree that, by default, using the OS provided source makes a lot
> >> of sense.
>
> Reality is more complicated than that; see below.
>
> On 06/27/2017 11:50 AM, Benjamin Kaduk via openssl-dev wrote:
>
> > Do you mean having openssl just pass through to
> > getrandom()/read()-from-'/dev/random'/etc. or just using those to seed
> > our own thing?
> >
> > The former seems simpler and preferable to me (perhaps modulo linux's
> > broken idea about "running out of entropy")
>
> That's a pretty big modulus. As I wrote over on the crypto list:
>
> The xenial 16.04 LTS manpage for getrandom(2) says quite explicitly:
>
> >> Unnecessarily reading large quantities of data will have a
> >> negative impact on other users of the /dev/random and /dev/urandom
> >> devices.
>
> And that's an understatement. Whether unnecessary or not, reading
> not-particularly-large quantities of data is tantamount to a
> denial of service attack against /dev/random and against its
> upstream sources of randomness.
>
> No later LTS is available. Reference:
> http://manpages.ubuntu.com/manpages/xenial/man2/getrandom.2.html
>
> Recently there has been some progress on this, as reflected in in
> the zesty 17.04 manpage:
> http://manpages.ubuntu.com/manpages/zesty/man2/getrandom.2.html
>
> However, in the meantime openssl needs to run on the platforms that
> are out there, which includes a very wide range of platforms.
And I think it's actually because of changes in the Linux RNG that
the manpage has been changed, but they did not document the
different behavior of the kernel versions.
In case it wasn't clear, I think we should use the OS provided
source as a seed. By default that should be the only source of
randomness.
Kurt
More information about the openssl-dev
mailing list