Re: ssleay PRNG entropy
Hello again, Is there any way to speed up discussion on this topic? Cheers, Fedor. On Mon, Oct 21, 2013 at 3:09 PM, Fedor Indutny fe...@indutny.com wrote: Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me): 1. `RAND_poll()` is called only once in initialization of method: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440and https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652 2. Static variable `entropy`, which is used to determine if the PRNG output is secure is never decreased, and actually stays exactly at `ENTROPY_NEEDED` value all the time. This happens because `entropy -= ...` happens only in following condition: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463, which is always true. I think I can contribute a patch to make it work properly, if this isn't an intended behavior. Basically, to my mind, if condition in pt.2 should be removed and `RAND_poll()` should be called when there're not enough entropy. But that'll lead to enormous amounts of `RAND_poll()` calls, which will make performance worse that it really is. Any thoughts, opinions? Thank you, Fedor.
Re: ssleay PRNG entropy
Am 21.10.2013 13:09, schrieb Fedor Indutny: Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me): 1. `RAND_poll()` is called only once in initialization of method: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440 and https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652 2. Static variable `entropy`, which is used to determine if the PRNG output is secure is never decreased, and actually stays exactly at `ENTROPY_NEEDED` value all the time. This happens because `entropy -= ...` happens only in following condition: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463, which is always true. I think I can contribute a patch to make it work properly, if this isn't an intended behavior. Well, the comment in the code states it imho clearly that this *is* intended behavior: * Once we've had enough initial seeding we don't bother to * adjust the entropy count, though, because we're not ambitious * to provide *information-theoretic* randomness. Ciao Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: ssleay PRNG entropy
Hello Richard, Yes, I see what this comment means. But what's the difference between RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using exactly the same amount of entropy and can't ever fail or return `0` (meaning that data is insecure). In my opinion, current implementation could be a RAND_pseudo_bytes() backend, and RAND_bytes() should be something more secure (considering that it is how its described in man documentation). Cheers, Fedor. On Wed, Oct 23, 2013 at 6:53 PM, Richard Könning richard.koenn...@ts.fujitsu.com wrote: Am 21.10.2013 13:09, schrieb Fedor Indutny: Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me): 1. `RAND_poll()` is called only once in initialization of method: https://github.com/openssl/**openssl/blob/master/crypto/** rand/md_rand.c#L436-L440https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440 and https://github.com/openssl/**openssl/blob/master/crypto/** rand/md_rand.c#L648-L652https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652 2. Static variable `entropy`, which is used to determine if the PRNG output is secure is never decreased, and actually stays exactly at `ENTROPY_NEEDED` value all the time. This happens because `entropy -= ...` happens only in following condition: https://github.com/openssl/**openssl/blob/master/crypto/** rand/md_rand.c#L446-L463https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463 , which is always true. I think I can contribute a patch to make it work properly, if this isn't an intended behavior. Well, the comment in the code states it imho clearly that this *is* intended behavior: * Once we've had enough initial seeding we don't bother to * adjust the entropy count, though, because we're not ambitious * to provide *information-theoretic* randomness. Ciao Richard __**__**__ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: ssleay PRNG entropy
Am 23.10.2013 18:49, schrieb Fedor Indutny: Hello Richard, Yes, I see what this comment means. But what's the difference between RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using exactly the same amount of entropy and can't ever fail or return `0` (meaning that data is insecure). When i don't overlook something the difference is only in the initialisation phase when the entropy pool hasn't reached a specific entropy limit at least once. Calling ssleay_rand_bytes with pseudo = 0 in this phase will result in an error entry, calling it with pseudo = 1 will give only the zero return code. In my opinion, current implementation could be a RAND_pseudo_bytes() backend, and RAND_bytes() should be something more secure (considering that it is how its described in man documentation). Well, my impression is that the creators of the respective code consider the bytes delivered secure enough after the entropy pool has been sufficiently seeded once. Someone who doesn't share this opinion is free to do additional seedings. Ciao, Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
ssleay PRNG entropy
Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me): 1. `RAND_poll()` is called only once in initialization of method: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440and https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652 2. Static variable `entropy`, which is used to determine if the PRNG output is secure is never decreased, and actually stays exactly at `ENTROPY_NEEDED` value all the time. This happens because `entropy -= ...` happens only in following condition: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463, which is always true. I think I can contribute a patch to make it work properly, if this isn't an intended behavior. Basically, to my mind, if condition in pt.2 should be removed and `RAND_poll()` should be called when there're not enough entropy. But that'll lead to enormous amounts of `RAND_poll()` calls, which will make performance worse that it really is. Any thoughts, opinions? Thank you, Fedor.
