[tor-bugs] #17799 [Core Tor/Tor]: Use a better PRNG unless OpenSSL starts using a better one on their own.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 21 15:01:42 UTC 2018
#17799: Use a better PRNG unless OpenSSL starts using a better one on their own.
-------------------------------------------------+-------------------------
Reporter: teor | Owner: nickm
Type: defect | Status: closed
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version: Tor:
| unspecified
Severity: Normal | Resolution:
Keywords: tor-relay, tor-client, prng, | worksforme
crypto, review-group-34 | Actual Points: 5
Parent ID: | Points: 5
Reviewer: asn | Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):
* status: new => closed
* resolution: => worksforme
Comment:
> Nick also told me something about future OpenSSL releases changing their
RNG algorithm too, but I could't find info about this...
From the OpenSSL 1.1.1 changelog:
{{{
*) Grand redesign of the OpenSSL random generator
The default RAND method now utilizes an AES-CTR DRBG according to
NIST standard SP 800-90Ar1. The new random generator is essentially
a port of the default random generator from the OpenSSL FIPS 2.0
object module. It is a hybrid deterministic random bit generator
using an AES-CTR bit stream and which seeds and reseeds itself
automatically using trusted system entropy sources.
Some of its new features are:
o Support for multiple DRBG instances with seed chaining.
o Add a public DRBG instance for the default RAND method.
o Add a dedicated DRBG instance for generating long term private
keys.
o Make the DRBG instances fork-safe.
o Keep all global DRBG instances on the secure heap if it is
enabled.
o Add a DRBG instance to every SSL instance for lock free operation
and to increase unpredictability.
[Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St.
Pierre]
}}}
So yeah, I think it's fine for us to drop this. No worries; I had fun
writing the code, but I don't need to maintain it forever.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17799#comment:69>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list