Andrew Ayer

Andrew Ayer on 2014-07-15 at 14:17:

That's nice research about RAND_poll. It's possible other programs are using another way of reseeding the PRNG, such as RAND_add. If any program forks without reseeding the OpenSSL PRNG, they are unsafe under OpenSSL and are unsafe under LibreSSL. What I object to are security-conscious programs (such as Tor) doing it right under OpenSSL now being unsafe when linked with an allegedly drop in replacement for OpenSSL. Nothing excuses that even if only a handful of programs are currently safe.

Read the comments, especially lines 130-153. This is more a case of "if your kernel doesn't provide a reliable means to fetch entropy, we'll try what we can, but there really isn't much we can do".

Line 142 suggests a much better alternative to using sketchy entropy: "Could raise(SIGKILL) resulting in silent program termination." They don't justify why silently returning sketchy entropy is better than SIGKILLing the process, except with: "This code path exists to bring light to the issue that Linux does not provide a failsafe API for entropy collection." Well, I agree that's an issue, but I don't think that's a good reason to potentially compromise the entropy gathering of a security critical library.

Also note that even if Linux retains sysctl or provides a safe alternative, it only fixes the chroot issue - forking will still be a problem unless LibreSSL rips out their userspace PRNG entirely and just passes RAND_bytes calls straight through to the syscall.

Reply