[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] OpenSSL, random seeding and init_prng

From: Jeffrey Walton
Subject: [Bug-wget] OpenSSL, random seeding and init_prng
Date: Thu, 19 Oct 2017 04:27:00 -0400

Hi Everyone,

Looking at https://git.savannah.gnu.org/cgit/wget.git/tree/src/openssl.c
and init_prng, there could be four small issues, but I don't think
they pose significant risk. I think its mostly splitting hairs.

First, checking RAND_status could setup a race condition for most
software. Wget is not general purpose, so I'm not sure if it applies
here. That is, will another Wget thread drain entropy just after this
thread initializes the prng:

    if (RAND_status ())

Second, there are several of these sprinkled throughout init_prng.

    if (RAND_status ())

If random_file is plentiful but fixed (maybe burned into ROM), then
entropy does not really change in the way one would expect on a
desktop. The early-out effectively means the same blob might be used
over and over again:

    if (random_file && *random_file)
      RAND_load_file (random_file, 16384);

    if (RAND_status ())

Third, if a users wants to add EGD entropy via --egd-file=file, then
the early out from item (2) means the user's choice may not be honored
in some instances. That is, the same blob is used over and over again
and the early out short circuits the desired EGD code:

    if (RAND_status ())

  #ifdef HAVE_RAND_EGD
  /* Get random data from EGD if opt.egd_file was used.  */
    if (opt.egd_file && *opt.egd_file)
      RAND_egd (opt.egd_file);

Fourth, before an OpenSSL routine is called that uses a random
numbers, the prng could be re-seeded/stirred to help avoid some
entropy based attacks, like VM rollbacks. Also see the following
references. Even NIST is recommending a stir in their approved
generators for prediction resistance and back tracking resistance:

* When Virtual is Harder than Real: Security Challenges in Virtual
Machine Based Computing Environments,

* When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities
and Hedging Deployed Cryptography,

* NIST SP 800-90A,


reply via email to

[Prev in Thread] Current Thread [Next in Thread]