| Alex Gaynor | af82d5e | 2013-10-29 17:07:24 -0700 | [diff] [blame] | 1 | .. hazmat:: |
| Alex Gaynor | 0f7f781 | 2013-09-30 10:52:36 -0700 | [diff] [blame] | 2 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 3 | OpenSSL backend |
| Alex Gaynor | 8f42fe4 | 2013-12-24 13:15:52 -0800 | [diff] [blame] | 4 | =============== |
| Donald Stufft | e51fb93 | 2013-10-27 17:26:17 -0400 | [diff] [blame] | 5 | |
| Alex Gaynor | 0e8cdf1 | 2016-12-13 21:05:35 -0500 | [diff] [blame^] | 6 | The `OpenSSL`_ C library. Cryptography supports OpenSSL version 1.0.1 and |
| Alex Gaynor | 1252dec | 2016-06-18 11:11:57 -0400 | [diff] [blame] | 7 | greater. |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 8 | |
| Alex Gaynor | f8796b1 | 2013-12-13 20:28:55 -0800 | [diff] [blame] | 9 | .. data:: cryptography.hazmat.backends.openssl.backend |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 10 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 11 | This is the exposed API for the OpenSSL backend. |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 12 | |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 13 | It implements the following interfaces: |
| 14 | |
| 15 | * :class:`~cryptography.hazmat.backends.interfaces.CipherBackend` |
| Paul Kehrer | 3d75429 | 2014-05-01 09:09:34 -0500 | [diff] [blame] | 16 | * :class:`~cryptography.hazmat.backends.interfaces.CMACBackend` |
| Paul Kehrer | 99a249d | 2015-01-04 15:55:22 -0600 | [diff] [blame] | 17 | * :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend` |
| Paul Kehrer | 9e5056c | 2016-12-11 09:00:52 -0600 | [diff] [blame] | 18 | * :class:`~cryptography.hazmat.backends.interfaces.DHBackend` |
| Mohammed Attia | 59edb61 | 2014-04-25 22:44:40 +0200 | [diff] [blame] | 19 | * :class:`~cryptography.hazmat.backends.interfaces.DSABackend` |
| Terry Chia | 7b59df1 | 2014-12-28 20:46:26 +0800 | [diff] [blame] | 20 | * :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend` |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 21 | * :class:`~cryptography.hazmat.backends.interfaces.HashBackend` |
| 22 | * :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` |
| 23 | * :class:`~cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend` |
| Alex Stapleton | 8f2250f | 2014-02-08 12:24:02 +0000 | [diff] [blame] | 24 | * :class:`~cryptography.hazmat.backends.interfaces.RSABackend` |
| Terry Chia | 7b59df1 | 2014-12-28 20:46:26 +0800 | [diff] [blame] | 25 | * :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend` |
| 26 | * :class:`~cryptography.hazmat.backends.interfaces.X509Backend` |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 27 | |
| Terry Chia | d8a27df | 2016-09-01 23:39:57 +0800 | [diff] [blame] | 28 | It also implements the following interface for OpenSSL versions ``1.1.0`` |
| 29 | and above. |
| 30 | |
| 31 | * :class:`~cryptography.hazmat.backends.interfaces.ScryptBackend` |
| 32 | |
| Paul Kehrer | e4acd5d | 2014-02-03 21:59:29 -0600 | [diff] [blame] | 33 | It also exposes the following: |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 34 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 35 | .. attribute:: name |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 36 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 37 | The string name of this backend: ``"openssl"`` |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 38 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 39 | .. method:: activate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 40 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 41 | Activates the OS random engine. This will effectively disable OpenSSL's |
| 42 | default CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 43 | |
| Christian Heimes | 2e71776 | 2016-12-09 17:02:26 +0100 | [diff] [blame] | 44 | .. method:: osrandom_engine_implementation() |
| 45 | |
| 46 | .. versionadded:: 1.7 |
| 47 | |
| 48 | Returns the implementation of OS random engine. |
| 49 | |
| Paul Kehrer | d258222 | 2014-02-05 16:21:19 -0600 | [diff] [blame] | 50 | .. method:: activate_builtin_random() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 51 | |
| Paul Kehrer | d258222 | 2014-02-05 16:21:19 -0600 | [diff] [blame] | 52 | This will activate the default OpenSSL CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 53 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 54 | OS random engine |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 55 | ---------------- |
| 56 | |
| Alex Gaynor | 01c634c | 2016-04-21 18:47:54 -0400 | [diff] [blame] | 57 | By default OpenSSL uses a user-space CSPRNG that is seeded from system random ( |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 58 | ``/dev/urandom`` or ``CryptGenRandom``). This CSPRNG is not reseeded |
| 59 | automatically when a process calls ``fork()``. This can result in situations |
| 60 | where two different processes can return similar or identical keys and |
| 61 | compromise the security of the system. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 62 | |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 63 | The approach this project has chosen to mitigate this vulnerability is to |
| Alex Gaynor | 969f18e | 2014-05-17 20:07:35 -0700 | [diff] [blame] | 64 | include an engine that replaces the OpenSSL default CSPRNG with one that |
| 65 | sources its entropy from ``/dev/urandom`` on UNIX-like operating systems and |
| 66 | uses ``CryptGenRandom`` on Windows. This method of pulling from the system pool |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 67 | allows us to avoid potential issues with `initializing the RNG`_ as well as |
| 68 | protecting us from the ``fork()`` weakness. |
| 69 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 70 | This engine is **active** by default when importing the OpenSSL backend. When |
| 71 | active this engine will be used to generate all the random data OpenSSL |
| 72 | requests. |
| 73 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 74 | When importing only the binding it is added to the engine list but |
| 75 | **not activated**. |
| 76 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 77 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 78 | OS random sources |
| Paul Kehrer | 55809a1 | 2014-01-29 21:41:16 -0600 | [diff] [blame] | 79 | ----------------- |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 80 | |
| 81 | On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and |
| 82 | utilizes the `Yarrow`_ algorithm. |
| 83 | |
| Paul Kehrer | 012bfbc | 2014-02-11 23:37:51 -0600 | [diff] [blame] | 84 | On Windows the implementation of ``CryptGenRandom`` depends on which version of |
| Paul Kehrer | 039b478 | 2014-02-11 23:50:56 -0600 | [diff] [blame] | 85 | the operation system you are using. See the `Microsoft documentation`_ for more |
| Paul Kehrer | 012bfbc | 2014-02-11 23:37:51 -0600 | [diff] [blame] | 86 | details. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 87 | |
| Alex Gaynor | 969f18e | 2014-05-17 20:07:35 -0700 | [diff] [blame] | 88 | Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source |
| 89 | seeded from the same pool as ``/dev/random``. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 90 | |
| Christian Heimes | 2e71776 | 2016-12-09 17:02:26 +0100 | [diff] [blame] | 91 | +------------------------------------------+------------------------------+ |
| 92 | | Windows | ``CryptGenRandom()`` | |
| 93 | +------------------------------------------+------------------------------+ |
| 94 | | Linux >= 3.4.17 with working | ``getrandom(GRND_NONBLOCK)`` | |
| 95 | | ``SYS_getrandom`` syscall | | |
| 96 | +------------------------------------------+------------------------------+ |
| 97 | | OpenBSD >= 5.6 | ``getentropy()`` | |
| 98 | +------------------------------------------+------------------------------+ |
| 99 | | BSD family (including macOS 10.12+) with | ``getentropy()`` | |
| 100 | | ``SYS_getentropy`` in ``sys/syscall.h`` | | |
| 101 | +------------------------------------------+------------------------------+ |
| 102 | | fallback | ``/dev/urandom`` with | |
| 103 | | | cached file descriptor | |
| 104 | +------------------------------------------+------------------------------+ |
| 105 | |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 106 | |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 107 | .. _`OpenSSL`: https://www.openssl.org/ |
| Alex Gaynor | 677c531 | 2015-06-20 20:53:50 -0400 | [diff] [blame] | 108 | .. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_.28Debian-specific.29 |
| Alex Gaynor | e9df294 | 2014-12-12 10:56:26 -0800 | [diff] [blame] | 109 | .. _`Yarrow`: https://en.wikipedia.org/wiki/Yarrow_algorithm |
| Alex Gaynor | 3fad190 | 2015-02-18 12:48:29 -0800 | [diff] [blame] | 110 | .. _`Microsoft documentation`: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx |