| Alex Gaynor | af82d5e | 2013-10-29 17:07:24 -0700 | [diff] [blame] | 1 | .. hazmat:: |
| Alex Gaynor | 0f7f781 | 2013-09-30 10:52:36 -0700 | [diff] [blame] | 2 | |
| Alex Gaynor | 8f42fe4 | 2013-12-24 13:15:52 -0800 | [diff] [blame] | 3 | OpenSSL Backend |
| 4 | =============== |
| Donald Stufft | e51fb93 | 2013-10-27 17:26:17 -0400 | [diff] [blame] | 5 | |
| Alex Stapleton | c368ac2 | 2013-12-31 13:43:38 +0000 | [diff] [blame] | 6 | The `OpenSSL`_ C library. |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 7 | |
| Alex Gaynor | f8796b1 | 2013-12-13 20:28:55 -0800 | [diff] [blame] | 8 | .. data:: cryptography.hazmat.backends.openssl.backend |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 9 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 10 | This is the exposed API for the OpenSSL backend. |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 11 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 12 | .. attribute:: name |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 13 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 14 | The string name of this backend: ``"openssl"`` |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 15 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 16 | .. method:: activate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 17 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 18 | Activates the OS random engine. This will effectively disable OpenSSL's |
| 19 | default CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 20 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 21 | .. method:: deactivate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 22 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 23 | Deactivates the OS random engine if it is default. This will restore |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 24 | the default OpenSSL CSPRNG. If the OS random engine is not the default |
| 25 | engine (e.g. if another engine is set as default) nothing will be |
| 26 | changed. |
| 27 | |
| 28 | OS Random Engine |
| 29 | ---------------- |
| 30 | |
| Paul Kehrer | ae2138a | 2014-01-29 22:19:47 -0600 | [diff] [blame] | 31 | OpenSSL uses a user-space CSPRNG that is seeded from system random ( |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 32 | ``/dev/urandom`` or ``CryptGenRandom``). This CSPRNG is not reseeded |
| 33 | automatically when a process calls ``fork()``. This can result in situations |
| 34 | where two different processes can return similar or identical keys and |
| 35 | compromise the security of the system. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 36 | |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 37 | The approach this project has chosen to mitigate this vulnerability is to |
| 38 | include an engine that replaces the OpenSSL default CSPRNG with one that sources |
| 39 | its entropy from ``/dev/urandom`` on UNIX-like operating systems and uses |
| 40 | ``CryptGenRandom`` on Windows. This method of pulling from the system pool |
| 41 | allows us to avoid potential issues with `initializing the RNG`_ as well as |
| 42 | protecting us from the ``fork()`` weakness. |
| 43 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 44 | This engine is **active** by default when importing the OpenSSL backend. When |
| 45 | active this engine will be used to generate all the random data OpenSSL |
| 46 | requests. |
| 47 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 48 | When importing only the binding it is added to the engine list but |
| 49 | **not activated**. |
| 50 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 51 | |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 52 | OS Random Sources |
| Paul Kehrer | 55809a1 | 2014-01-29 21:41:16 -0600 | [diff] [blame] | 53 | ----------------- |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 54 | |
| 55 | On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and |
| 56 | utilizes the `Yarrow`_ algorithm. |
| 57 | |
| 58 | On Windows ``CryptGenRandom`` is backed by `Fortuna`_. |
| 59 | |
| 60 | Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source seeded |
| Paul Kehrer | 16e5e4d | 2014-01-30 09:43:30 -0600 | [diff] [blame] | 61 | from the same pool as ``/dev/random``. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 62 | |
| 63 | |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 64 | .. _`OpenSSL`: https://www.openssl.org/ |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 65 | .. _`initializing the RNG`: http://en.wikipedia.org/wiki/OpenSSL#Vulnerability_in_the_Debian_implementation |
| 66 | .. _`Yarrow`: http://en.wikipedia.org/wiki/Yarrow_algorithm |
| 67 | .. _`Fortuna`: http://en.wikipedia.org/wiki/Fortuna_(PRNG) |