From: Louis LeBlanc <[EMAIL PROTECTED]> leblanc> The project involved an https load generator - primarily used leblanc> for correctness testing of another project. I had the worst leblanc> time getting the initial handshake to work. The dreaded leblanc> 'PRNG not seeded' message kept plaguing me. Finally I did leblanc> about a hundred searches on the openssl-users list archives leblanc> (no, it isn't in the FAQ), Yes, it *is*, and has been since the start of the FAQ, which was about 5 days before 0.9.5 was released... You can look for yourself in the CVSweb, at http://www.openssl.org/source/cvs/FAQ. leblanc> and found that 0.9.5 and later have some problem seeding the leblanc> handshake values if /dev/urandom does not exist (like on leblanc> Solaris 2.7). The entries I found said that the current leblanc> snapshots should fix it (and yes, it is a bug). No, it's a feature (according to the rule that a bug that is documented is really a feature :-)). Seriously, 0.9.4 carries a much more serious bug, and it's that if there is no /dev/urandom, OpenSSL has en entropy pool that has been seeded with the current PID, the current uid and the current time, which equals no entropy from a security point of view. Therefore, it was decided some time before the release of 0.9.5 that unless there is at least 128 bits of entropy, the PRNG would refuse to give out any randomness. So again, from a serious security point of view, this is not a bug, it's a feature. And remember that OpenSSL deals with exactly that: security. It's therefore up to the application to add the random seed as it sees fit, until the demand for enough entropy has been met. The functions RAND_seed(), RAND_add() and RAND_status() are there for you, man. Also RAND_egd() if you use EGD. It can be argued that OpenSSL could try to build entropy by forking and running all kinds of programs and use their output as entropy (this is what EGD does for you, should you decide to use it). However, the crypto library of OpenSSL might be used in an application that runs as root, so you can guess what kind of security hole we would leave open to the world if we did that. Also, I would stop using 0.9.4 if I were you, at least if you're the least bit concerned by security, since that version didn't check the amount of entropy that went into the pool, and therefore gave really bad randomness unless there was a /dev/urandom... Note that for Solaris 2.6, there a Sunski package in patch 105710-01 that adds a /dev/random device. However, since /dev/random is usually a blocking device, it is possible that libcrypto will just hang, waiting for more data... I guess I'll have to check that out at work. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug relating to /dev/urandom and RAND_egd in libcrypto.a
Richard Levitte - VMS Whacker Fri, 30 Jun 2000 00:43:41 -0700
- Re: Bug relating to /dev/urandom and RAND_eg... Lutz Jaenicke
- Re: Bug relating to /dev/urandom and RA... Brian Hatch
- Re: Bug relating to /dev/urandom and RA... Richard Levitte - VMS Whacker
- Re: Bug relating to /dev/urandom an... Louis LeBlanc
- Re: Bug relating to /dev/urando... Richard Levitte - VMS Whacker
- Re: Bug relating to /dev/ur... Louis LeBlanc
- Re: Bug relating to /d... Ulf Moeller
- Re: Bug relating to /d... Brian Hatch
- Re: Bug relating to /d... Richard Levitte - VMS Whacker
- Re: Bug relating t... Louis LeBlanc
- Re: Bug relating to /dev/urando... Brian Hatch
