#17799: Hash All PRNG output before use
--------------------+------------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
--------------------+------------------------------------
Comment (by nickm):
Here is the design I would suggest for such a thing.
Replace crypto_rand() with a construction that fills an internal buffer by
taking bytes from RAND_byes() and then passing them through SHAKE128 to
expand them. Then yield bytes from that buffer as required. As yielding
them, clear the buffer. When the buffer is exhausted, refill it.
If we want, we can seed the initial buffer with crypto_strongest_rand(),
and seed subsequent buffers with a mixture of the tail-end of the previous
buffer and RAND_bytes().
This should meet the design criteria described above, and provide better
performance and security than the current openssl nonsense.
I can take care of this once the SHA3 branch (#17783) is merged.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17799#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
