| Alex Gaynor | af82d5e | 2013-10-29 17:07:24 -0700 | [diff] [blame] | 1 | .. hazmat:: |
| Alex Gaynor | 0f7f781 | 2013-09-30 10:52:36 -0700 | [diff] [blame] | 2 | |
| Alex Gaynor | 8f42fe4 | 2013-12-24 13:15:52 -0800 | [diff] [blame] | 3 | OpenSSL Backend |
| 4 | =============== |
| Donald Stufft | e51fb93 | 2013-10-27 17:26:17 -0400 | [diff] [blame] | 5 | |
| Alex Stapleton | c368ac2 | 2013-12-31 13:43:38 +0000 | [diff] [blame] | 6 | The `OpenSSL`_ C library. |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 7 | |
| Alex Gaynor | f8796b1 | 2013-12-13 20:28:55 -0800 | [diff] [blame] | 8 | .. data:: cryptography.hazmat.backends.openssl.backend |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 9 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 10 | This is the exposed API for the OpenSSL backend. |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 11 | |
| Alex Gaynor | 031c2cb | 2014-01-31 11:44:53 -0800 | [diff] [blame] | 12 | It implements the following interfaces: |
| 13 | |
| 14 | * :class:`~cryptography.hazmat.backends.interfaces.CipherBackend` |
| 15 | * :class:`~cryptography.hazmat.backends.interfaces.HashBackend` |
| 16 | * :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` |
| 17 | * :class:`~cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend` |
| 18 | |
| Paul Kehrer | e4acd5d | 2014-02-03 21:59:29 -0600 | [diff] [blame^] | 19 | It also exposes the following: |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 20 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 21 | .. attribute:: name |
| Paul Kehrer | 2502ce5 | 2014-01-18 09:32:47 -0600 | [diff] [blame] | 22 | |
| Paul Kehrer | cfa2d62 | 2014-01-19 14:01:25 -0600 | [diff] [blame] | 23 | The string name of this backend: ``"openssl"`` |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 24 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 25 | .. method:: activate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 26 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 27 | Activates the OS random engine. This will effectively disable OpenSSL's |
| 28 | default CSPRNG. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 29 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 30 | .. method:: deactivate_osrandom_engine() |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 31 | |
| Paul Kehrer | d52b89b | 2014-01-31 10:57:17 -0600 | [diff] [blame] | 32 | Deactivates the OS random engine if it is default. This will restore |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 33 | the default OpenSSL CSPRNG. If the OS random engine is not the default |
| 34 | engine (e.g. if another engine is set as default) nothing will be |
| 35 | changed. |
| 36 | |
| 37 | OS Random Engine |
| 38 | ---------------- |
| 39 | |
| Paul Kehrer | ae2138a | 2014-01-29 22:19:47 -0600 | [diff] [blame] | 40 | OpenSSL uses a user-space CSPRNG that is seeded from system random ( |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 41 | ``/dev/urandom`` or ``CryptGenRandom``). This CSPRNG is not reseeded |
| 42 | automatically when a process calls ``fork()``. This can result in situations |
| 43 | where two different processes can return similar or identical keys and |
| 44 | compromise the security of the system. |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 45 | |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 46 | The approach this project has chosen to mitigate this vulnerability is to |
| 47 | include an engine that replaces the OpenSSL default CSPRNG with one that sources |
| 48 | its entropy from ``/dev/urandom`` on UNIX-like operating systems and uses |
| 49 | ``CryptGenRandom`` on Windows. This method of pulling from the system pool |
| 50 | allows us to avoid potential issues with `initializing the RNG`_ as well as |
| 51 | protecting us from the ``fork()`` weakness. |
| 52 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 53 | This engine is **active** by default when importing the OpenSSL backend. When |
| 54 | active this engine will be used to generate all the random data OpenSSL |
| 55 | requests. |
| 56 | |
| Paul Kehrer | 8042b29 | 2014-01-31 10:44:36 -0600 | [diff] [blame] | 57 | When importing only the binding it is added to the engine list but |
| 58 | **not activated**. |
| 59 | |
| Paul Kehrer | 3f17c7c | 2014-01-20 16:32:26 -0600 | [diff] [blame] | 60 | |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 61 | OS Random Sources |
| Paul Kehrer | 55809a1 | 2014-01-29 21:41:16 -0600 | [diff] [blame] | 62 | ----------------- |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 63 | |
| 64 | On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and |
| 65 | utilizes the `Yarrow`_ algorithm. |
| 66 | |
| 67 | On Windows ``CryptGenRandom`` is backed by `Fortuna`_. |
| 68 | |
| 69 | Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source seeded |
| Paul Kehrer | 16e5e4d | 2014-01-30 09:43:30 -0600 | [diff] [blame] | 70 | from the same pool as ``/dev/random``. |
| Paul Kehrer | 9967bc5 | 2014-01-29 21:39:13 -0600 | [diff] [blame] | 71 | |
| 72 | |
| Alex Gaynor | 6d02e2d | 2013-09-30 10:37:22 -0700 | [diff] [blame] | 73 | .. _`OpenSSL`: https://www.openssl.org/ |
| Paul Kehrer | 136ff17 | 2014-01-29 21:23:11 -0600 | [diff] [blame] | 74 | .. _`initializing the RNG`: http://en.wikipedia.org/wiki/OpenSSL#Vulnerability_in_the_Debian_implementation |
| 75 | .. _`Yarrow`: http://en.wikipedia.org/wiki/Yarrow_algorithm |
| 76 | .. _`Fortuna`: http://en.wikipedia.org/wiki/Fortuna_(PRNG) |