[openssl-dev] Plea for a new public OpenSSL RNG API
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Sun Sep 3 21:53:50 UTC 2017
>
> The 'RAND_add()/RAND_bytes()' pattern is broken
> ===============================================
>
> In OpenSSL, the classical way for the RNG consumer to add his own randomness is to call 'RAND_add()' before
> calling 'RAND_bytes()'. If the new 'RAND_OpenSSL()' method (the "compatibility layer" hiding the public
> RAND_DRBG instance) is the default, then this does not work as expected anymore:
>
> The reason is that a call to 'RAND_add()' adds the provided randomness only to a global buffer
> ('rand_bytes'), from which it will be pulled during the next reseed. But no reseed is triggered. So the next
> RAND_bytes() call will be unaffected from the RAND_add(), which is not what the consumer expected. (The same
> holds for 'RAND_seed()', since 'drbg_seed()' only calls into 'drbg_add()')
>
> Reseeding of DRBGs occurs only at the following occasions:
>
> * immediately after a 'fork()' (new)
> * if the 'reseed_counter' exceeds the 'reseed_interval'
> * if 'RAND_DRBG_generate()' is called requesting 'prediction_resistance'
> * 'RAND_DRBG_reseed()' is called explicitely
>
> *Note:* Currently it looks like the situation is even worse: if 'RAND_add()' is called multiple times before
> a reseed occurs, then the result of the previous call is overwritten.
I just posted GitHub PR #4328 related to this issue
[openssl/openssl] WIP: Fix the RAND_add() reseeding issue (#4328)
Matthias St. Pierre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4328 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170903/97f6ab9f/attachment-0001.bin>
More information about the openssl-dev
mailing list