| Alex Gaynor | af82d5e | 2013-10-29 17:07:24 -0700 | [diff] [blame] | 1 | .. hazmat:: |
| Alex Gaynor | 0f7f781 | 2013-09-30 10:52:36 -0700 | [diff] [blame] | 2 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 3 | OpenSSL backend |
| Alex Gaynor | 8f42fe4 | 2013-12-24 13:15:52 -0800 | [diff] [blame] | 4 | =============== |
| Donald Stufft | e51fb93 | 2013-10-27 17:26:17 -0400 | [diff] [blame] | 5 | |
| Paul Kehrer | 12649af | 2014-03-10 12:45:19 -0400 | [diff] [blame] | 6 | The `OpenSSL`_ C library. Cryptography supports version ``0.9.8e`` (present in |
| 7 | Red Hat Enterprise Linux 5) and greater. Earlier versions may work but are |
| 8 | **not tested or supported**. |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 9 | |
| Alex Gaynor | f8796b1 | 2013-12-13 20:28:55 -0800 | [diff] [blame] | 10 | .. data:: cryptography.hazmat.backends.openssl.backend |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 11 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 12 | This is the exposed API for the OpenSSL backend. |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 13 | |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 14 | It implements the following interfaces: |
| 15 | |
| 16 | * :class:`~cryptography.hazmat.backends.interfaces.CipherBackend` |
| Paul Kehrer | 3d75429 | 2014-05-01 09:09:34 -0500 | [diff] [blame] | 17 | * :class:`~cryptography.hazmat.backends.interfaces.CMACBackend` |
| Mohammed Attia | 59edb61 | 2014-04-25 22:44:40 +0200 | [diff] [blame] | 18 | * :class:`~cryptography.hazmat.backends.interfaces.DSABackend` |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 19 | * :class:`~cryptography.hazmat.backends.interfaces.HashBackend` |
| 20 | * :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` |
| 21 | * :class:`~cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend` |
| Alex Stapleton | 8f2250f | 2014-02-08 12:24:02 +0000 | [diff] [blame] | 22 | * :class:`~cryptography.hazmat.backends.interfaces.RSABackend` |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 23 | |
| Paul Kehrer | e4acd5d | 2014-02-03 21:59:29 -0600 | [diff] [blame] | 24 | It also exposes the following: |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 25 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 26 | .. attribute:: name |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 27 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 28 | The string name of this backend: ``"openssl"`` |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 29 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 30 | .. method:: activate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 31 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 32 | Activates the OS random engine. This will effectively disable OpenSSL's |
| 33 | default CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 34 | |
| Paul Kehrer | d258222 | 2014-02-05 16:21:19 -0600 | [diff] [blame] | 35 | .. method:: activate_builtin_random() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 36 | |
| Paul Kehrer | d258222 | 2014-02-05 16:21:19 -0600 | [diff] [blame] | 37 | This will activate the default OpenSSL CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 38 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 39 | OS random engine |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 40 | ---------------- |
| 41 | |
| Paul Kehrer | ae2138a | 2014-01-29 22:19:47 -0600 | [diff] [blame] | 42 | OpenSSL uses a user-space CSPRNG that is seeded from system random ( |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 43 | ``/dev/urandom`` or ``CryptGenRandom``). This CSPRNG is not reseeded |
| 44 | automatically when a process calls ``fork()``. This can result in situations |
| 45 | where two different processes can return similar or identical keys and |
| 46 | compromise the security of the system. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 47 | |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 48 | The approach this project has chosen to mitigate this vulnerability is to |
| Alex Gaynor | 969f18e | 2014-05-17 20:07:35 -0700 | [diff] [blame] | 49 | include an engine that replaces the OpenSSL default CSPRNG with one that |
| 50 | sources its entropy from ``/dev/urandom`` on UNIX-like operating systems and |
| 51 | uses ``CryptGenRandom`` on Windows. This method of pulling from the system pool |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 52 | allows us to avoid potential issues with `initializing the RNG`_ as well as |
| 53 | protecting us from the ``fork()`` weakness. |
| 54 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 55 | This engine is **active** by default when importing the OpenSSL backend. When |
| 56 | active this engine will be used to generate all the random data OpenSSL |
| 57 | requests. |
| 58 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 59 | When importing only the binding it is added to the engine list but |
| 60 | **not activated**. |
| 61 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 62 | |
| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 63 | OS random sources |
| Paul Kehrer | 55809a1 | 2014-01-29 21:41:16 -0600 | [diff] [blame] | 64 | ----------------- |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 65 | |
| 66 | On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and |
| 67 | utilizes the `Yarrow`_ algorithm. |
| 68 | |
| Paul Kehrer | 012bfbc | 2014-02-11 23:37:51 -0600 | [diff] [blame] | 69 | On Windows the implementation of ``CryptGenRandom`` depends on which version of |
| Paul Kehrer | 039b478 | 2014-02-11 23:50:56 -0600 | [diff] [blame] | 70 | the operation system you are using. See the `Microsoft documentation`_ for more |
| Paul Kehrer | 012bfbc | 2014-02-11 23:37:51 -0600 | [diff] [blame] | 71 | details. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 72 | |
| Alex Gaynor | 969f18e | 2014-05-17 20:07:35 -0700 | [diff] [blame] | 73 | Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source |
| 74 | seeded from the same pool as ``/dev/random``. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 75 | |
| 76 | |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 77 | .. _`OpenSSL`: https://www.openssl.org/ |
| Alex Gaynor | 2332c19 | 2014-04-23 08:07:27 -0700 | [diff] [blame] | 78 | .. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_keys_.28Debian-specific.29 |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 79 | .. _`Yarrow`: http://en.wikipedia.org/wiki/Yarrow_algorithm |
| Paul Kehrer | b4f7d88 | 2014-02-11 23:29:51 -0600 | [diff] [blame] | 80 | .. _`Microsoft documentation`: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx |