> The RAND_DRBG (crypto/rand/drbg_lib) APIs are quite some mess and sit badly > with the move to provider based infrastructure.
Actually, it is not the RAND_DRBG API itself (as it is in 1.1.1) which is messy. It’s the fact that part of its interface is very low level and that the EVP_RAND interface tries to move away from that. In particular, in the future seed sources will be pluggable by chaining the primary DRBG to an entropy source which is provided as a fetchable EVP_RAND interface, not by replacing some internal callbacks. (Note however, that fetchable entropy sources, in particular sources of low quality, are not implemented yet and won’t be implemented in time for version 3.0. But as far as I’m concerned, I can wait for 3.1, since my company is still transitioning from 1.0.2 to 1.1.1. ) Moving to the new approach while at the same time having to retain compatibility to the old approach, that’s what is creating the mess under the hood. Most notably, it’s the two functions RAND_DRBG_set_callbacks() and RAND_DRBG_set() which are creating the problems. Pull Request #12509 attempts to untangle the two RNG interfaces by providing two unrelated triples of RNGs (option 2 in Pauli’s proposal), an EVP_RAND triple and a RAND_DRBG triple. This does not work out well, as pointed out by me in [1]. There might be a variant of option (2) however to fix the problem described in [1], which could provide better compatibility: 4. Offer legacy RAND_METHOD (e.g. RAND_drbg_method(), RAND_OpenSSL_legacy(), …) as an alternative to RAND_OpenSSL() Anybody who currently uses the RAND_DRBG callback mechanism, could activate this legacy RAND_METHOD to switch from the new EVP_RAND triple to the legacy RAND_DRBG triple of random generators, and their callbacks would continue to work as expected. I still favour option (1), but (4) might be a reasonable compromise. It comes at a price, because both RAND_METHODs need to be fully supported and tested thoroughly. Matthias [1] https://github.com/openssl/openssl/pull/12509#pullrequestreview-455396828 From: openssl-project <openssl-project-boun...@openssl.org> On Behalf Of Dr Paul Dale Sent: Monday, July 27, 2020 3:08 AM To: openssl-project@openssl.org Subject: RAND_DRBG The RAND_DRBG (crypto/rand/drbg_lib) APIs are quite some mess and sit badly with the move to provider based infrastructure. They are definitely being deprecated in master but without more, the extra layer of indirection and additional complexity generating random numbers will remain. The option I see are: 1. Remove, rather than deprecate, RAND_DRBG in 3.0. This is a breaking change. 2. Bypass RAND_DRBG and live with a breaking change (refer: https://github.com/openssl/openssl/pull/12509#pullrequestreview-455396828) 3. Leave things as they currently are in master. The first two are breaking changes and will require an OMC vote. Some pertinent points: 1. RAND_bytes will continue to work as is — this API is perfect for almost everyone. 2. The RAND_METHOD functionality remains — this allows wholesale replacement of OpenSSL’s RNGs if desired. 3. The name EVP_RAND is the working name and might change — this is not relevant to this discussion. 4. The RAND_DRBG APIs are unlikely to be widely used — they were introduced in 1.1.1. The two users I know of (Akamai and NCP) are both fine with them being removed. Thoughts anyone? Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia
