Skip to Content [alt-c]

Andrew Ayer


LibreSSL's PRNG is Unsafe on Linux [Update: LibreSSL fork fix]

Comment by Andrew Ayer

Posted in reply to Comment by Reader no. 6.

This comment is owned by whoever posted it. I am not responsible for it in any way.

That's nice research about RAND_poll. It's possible other programs are using another way of reseeding the PRNG, such as RAND_add. If any program forks without reseeding the OpenSSL PRNG, they are unsafe under OpenSSL and are unsafe under LibreSSL. What I object to are security-conscious programs (such as Tor) doing it right under OpenSSL now being unsafe when linked with an allegedly drop in replacement for OpenSSL. Nothing excuses that even if only a handful of programs are currently safe.

Read the comments, especially lines 130-153. This is more a case of "if your kernel doesn't provide a reliable means to fetch entropy, we'll try what we can, but there really isn't much we can do".

Line 142 suggests a much better alternative to using sketchy entropy: "Could raise(SIGKILL) resulting in silent program termination." They don't justify why silently returning sketchy entropy is better than SIGKILLing the process, except with: "This code path exists to bring light to the issue that Linux does not provide a failsafe API for entropy collection." Well, I agree that's an issue, but I don't think that's a good reason to potentially compromise the entropy gathering of a security critical library.

Also note that even if Linux retains sysctl or provides a safe alternative, it only fixes the chroot issue - forking will still be a problem unless LibreSSL rips out their userspace PRNG entirely and just passes RAND_bytes calls straight through to the syscall.

| Posted on 2014-07-15 at 14:17:05 UTC by Andrew Ayer | Parent | Reply to This

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible. Use the "Preview" button to make sure your comment is properly formatted. Name and email address are optional. If you specify an email address it will be kept confidential.

Post Comment

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.