[tor-bugs] #17799 [Core Tor/Tor]: Use a better PRNG unless OpenSSL starts using a better one on their own.

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 21 13:48:29 UTC 2018 

#17799: Use a better PRNG unless OpenSSL starts using a better one on their own.
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  nickm
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.4.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  unspecified
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-relay, tor-client, prng,         |  Actual Points:  5
  crypto, review-group-34                        |
Parent ID:                                       |         Points:  5
 Reviewer:  asn                                  |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by asn):

 * status:  needs_review => new


Comment:

 Hmm, this ticket again! My intuition here is to NACK this for now even tho
 I feel like the code is probably OK, and that's for the following reasons:
 - The code here is 2 years old, and will add about 1k LoC to our PRNG
 subsystem. Even tho the code is probably OK, it's quite complicated and we
 will need to maintain it. This is also a pretty big feature for something
 not on the roadmap.
 - All this is done to protect against the threat of backdoored RNGs like
 Dual-EC, or horribly bad RNGs which get broken if some of their state gets
 leaked. I haven't heard of this threat since the Dual-EC thing happened,
 and not sure if trying to fix it on the Tor-layer is a good idea.
 - WRT fixing this on the Tor layer, this might be suboptimal since our
 other libraries (like our SSL lib) can also reveal the state of our RNG
 and hence leak it even tho we patched it in Tor. In general, I feel that
 if we don't trust OpenSSL or our crypto libraries we are already pretty-
 much screwed up...

 In general, I feel inclined to put this back in `Tor: unspecified` or
 `WONTFIX` it and revive it in the future if we ever need to (hopefully
 not).

 Nick also told me something about future OpenSSL releases changing their
 RNG algorithm too, but I could't find info about this...

 Setting this is as `new` for now.
 Nick, what do you think? This ticket was lots of work and I don't want to
 put it to waste so easily.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17799#comment:67>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list