Re: Regarding the optional OpenSSL integration for the portable version

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, May 02, 2014 at 02:56:59PM +1000, Damien Miller wrote:
> On Thu, 1 May 2014, Brent Cook wrote:
> 
> > Hi,
> >
> > I have been working on a portable LibreSSL build tree for a little
> > while to test the waters: http://github.com/busterb/libressl
> >
> > Someone noticed an issue with the arc4random
> > implementation that I originally grabbed from libbsd
> > https://github.com/busterb/libressl/issues/1
> >
> > So, I looked at how OpenSSH handles it, and noticed that it uses the
> > random functions from OpenSSL unconditionally to seed the state of its
> > version of arc4random.
> 
> I haven't ported the no-OpenSSL changes yet and haven't thought about
> how I'll handle arc4random.
> 
> I'll probably make an explicit arc4random_stir() function that we can
> call in various places. OpenBSD has put some effort in to ensure that
> the kernel PRNG is available in pretty much any context (privileged,
> unprivileged, in chroot without devices, etc.) and AFAIK no other OS
> does this.

NetBSD and FreeBSD (as of 10.0) both use a sysctl, just like OpenBSD. Linux
also has an obscure sysctl which pulls directly from the internal CSPRNG. So
all of these will work in a jail without /dev or /proc.

OS X still seeds itself from /dev/urandom in its arc4random implementation,
as it inherited FreeBSD's old code. Solaris sadly only has
/dev/urandom.

For my Lua bindings to OpenSSL I use all of these different mechanisms to
explicitly seed OpenSSL. The code is in randL_stir. Here's a direct link:

https://github.com/wahern/luaossl/blob/dd0ad8dc1b0962fc80dbf680aadaaaba6536c96b/src/openssl.c#L4008

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux