Require OpenSSL >= 1.0.2 explicitly #1487
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -341,14 +341,16 @@ StructGuard<EVP_PKEY> Crypto::generateRSAKeyPairEVP(KeyType key_type) { | |
| return {nullptr, EVP_PKEY_free}; | ||
| } | ||
|
|
||
| int ret; | ||
|
|
||
| ret = RAND_status(); | ||
|
There was a problem hiding this comment. I've had a look at OpenSSL and I'm not convinced this is needed, as the same check is done in A check like that only verifies that the library is self-consistent but the bad scenario is actually when openssl thinks everything was seeded properly but it read from After a quick strace, on recent distributions, openssl 1.1.1d uses
Maybe the simplest fix would be to have a globabl blocking There was a problem hiding this comment. Another interesting reference: openssl/openssl#9595 There was a problem hiding this comment. Hm actually I misread the LWN post and the EAGAIN check probably does not guarantee anything. The last solution might actually be the better one. There was a problem hiding this comment.
Erm, I'm kinda confused. The RAND_status() and RAND_poll() are not the same. Also I'd rather avoid depending on OpenSSL's internal implementation details. If RSA_generate_key_ex() man says that RNG should be seeded than I see no harm in explicitly checking that it's seeded - even in OpenSSL does the same internally.
This would introduce dependency on Linux kernel 3.17+ and glibc 2.25+ which is not available on xenial AFAIK. I'm also not sure how it differs from current PR - could you elaborate?
Indeed, my concern as well. On possible workaround could be using https://www.freedesktop.org/software/systemd/man/systemd-random-seed.service.html with entropy crediting to make sure we start after entropy pool has been taken care of. There was a problem hiding this comment.
The syscall can also be used without going through glibc. |
||
| if (ret != 1) { /* random generator has NOT been seeded with enough data */ | ||
| ret = RAND_poll(); | ||
| if (ret != 1) { /* seed data was NOT generated */ | ||
| return {nullptr, EVP_PKEY_free}; | ||
| } | ||
| } | ||
|
There was a problem hiding this comment. Can you elucidate a bit what the goal of this chunk is? If both of these calls fail, is that a problem, or is silently failing and moving on acceptable? There was a problem hiding this comment. Yes, it's a problem and we should fail. The likelyhood of this in practice is pretty low though:
Still, I'd rather be paranoid and fail than accidentially generate predictable keys. There was a problem hiding this comment. It looks like we will fail as expected when this function returns null in There was a problem hiding this comment. @zabbal Can you give some references from what you saw in the docs? https://www.openssl.org/docs/man1.0.2/man3/RSA_generate_key_ex.html Is your concern based on this sentence present in the 1.1.1 docs and not in the 1.0.2?
There was a problem hiding this comment.
That and the "The pseudo-random number generator must be seeded prior to calling RSA_generate_key_ex()" which is present in both versions. See also https://www.openssl.org/docs/manmaster/man3/RAND_add.html - in particular "RAND_status() indicates whether or not the random generator has been sufficiently seeded". There was a problem hiding this comment. I'm not too concerned because if the operation fails it will return an error and not silently give us a bad key. If you still think that's best we can still keep these lines I suppose. There was a problem hiding this comment. Well, it's not best in a sense "this guarantees lack of bad keys". It's best in a sense "we follow docs closely" and "we won't have bad keys provided docs are correct". The latter might not be the case of course but that would be separate fix on top of this. |
||
|
|
||
| StructGuard<BIGNUM> bne(BN_new(), BN_free); | ||
| ret = BN_set_word(bne.get(), RSA_F4); | ||
| if (ret != 1) { | ||
|
|
@@ -361,7 +363,6 @@ StructGuard<EVP_PKEY> Crypto::generateRSAKeyPairEVP(KeyType key_type) { | |
| if (ret != 1) { | ||
| return {nullptr, EVP_PKEY_free}; | ||
| } | ||
|
|
||
| StructGuard<EVP_PKEY> pkey(EVP_PKEY_new(), EVP_PKEY_free); | ||
| // release the rsa pointer here, pkey is the new owner | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like we're dropping the minimal support for pre-1.1 that we had. Am I misreading it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're dropping support for pre-0.9.8 - the check against 1.1 was incorrect. Otherwise CI on xenial would barf.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a way to test that 0.9.8 will work? My memory is that xenial is still something like 1.0.2. Although if the xenial tests are passing with this as it is, that's probably good enough. I don't think we've ever tested something before 1.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we hadn't tested 0.9.8 before than I don't think it's worth it to start now.