[tor-bugs] #17799 [Core Tor/Tor]: Hash All PRNG output before use

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 25 19:44:11 UTC 2016


#17799: Hash All PRNG output before use
-------------------------------+----------------------------------------
 Reporter:  teor               |          Owner:  nickm
     Type:  defect             |         Status:  needs_revision
 Priority:  Medium             |      Milestone:  Tor: 0.2.9.x-final
Component:  Core Tor/Tor       |        Version:  Tor: unspecified
 Severity:  Normal             |     Resolution:
 Keywords:  TorCoreTeam201604  |  Actual Points:
Parent ID:                     |         Points:  small/medium-remaining
 Reviewer:  asn                |        Sponsor:
-------------------------------+----------------------------------------

Comment (by nickm):

 Changes incorporated, I believe, except as noted below.

 {{{
 +    // cpunk: What happens here on "coverage" builds?
 }}}

 I'm assuming you mean "coverage" builds that also set --disable-asserts-
 in-tests.  They break; --disable-asserts-in-tests makes your tor broken.
 I'm adding a ticket (#18888) to make them warn even more loudly, in case
 somebody thinks it's a good idea to actually use that in production.

 {{{
  shake_prng_getbytes_large(shake_prng_t *prng, uint8_t *out, size_t n)
 +// cpunk: So, this function has a different behaviour, compared to
 _raw(), in
 +// that it pulls in less external entropy (openssl, libc) for the same
 amount
 +// of bytes.  Is this significant?  Does it change its cryptographic
 profile?
 +// Compare the following two:
 +//
 +//   1)
 +//     crypto_rand(buf, desired_size)
 +//
 +//   2)
 +//     not_large_size = 128
 +//     for (i = 0; i < desired_size/not_large_size; ++i)
 +//       crypto_rand(buf + i*not_large_size, not_large_size)
 +//     crypto_rand(buf + i*not_large_size, desired_size -
 i*not_large_size)
 +//
 +// Where desired_size is large enough to cause refill(s).
 }}}

 So, the entire "reseed periodically after a certain amount of data"
 business is a bit voodoo; I've added notes to the check_reseed function.
 I've added a bit more commentary to the getbytes_large function itself
 too.

 {{{
    crypto_teardown_shake_prng(); /* ???? */
 +                                // -> cpunk: What is it?
 }}}

 I think I was wondering whether it causes a redundant call to
 crypto_teardown_shake_prng().


 {{{
    RAND_set_rand_method(&ossl_shake_method);
 +  // cpunk: From
 https://www.openssl.org/docs/manmaster/crypto/RAND_set_rand_method.html
 +  //
 +  //   RAND_set_default_method() makes meth the method for PRNG use. NB:
 This
 +  //   is true only whilst no ENGINE has been set as a default for RAND,
 so
 +  //   this function is no longer recommended.
 +  //
 +  // And later (RAND_METHOD is a typedef for rand_meth_st):
 +  //
 +  //   RAND_METHOD implementations are grouped together with other
 algorithmic
 +  //   APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in ENGINE modules.  If a
 default
 +  //   ENGINE is specified for RAND functionality using an ENGINE API
 function,
 +  //   that will override any RAND defaults set using the RAND API (ie.
 +  //   RAND_set_rand_method()). For this reason, the ENGINE API is the
 +  //   recommended way to control default implementations for use in RAND
 and
 +  //   other cryptographic algorithms.
 +  //
 +  // IIUC, openssl seems to be saying this should be implemented as an
 engine
 +  // instead; or maybe it should be compiled with OPENSSL_NO_ENGINE to
 make
 +  // sure?  Just a thought.
  }
 }}}

 I've left this comment in-place while I investigate.  When I last looked
 at the openssl code, it appeared to be the case that OpenSSL's engines
 overrode any previous calls to set_rand_method, but that subsequent calls
 to set_rand_method overrode them.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17799#comment:37>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list