-
Notifications
You must be signed in to change notification settings - Fork 424
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite loop if call to OpenSSL function RAND_bytes() fails #895
Comments
Thanks very much for the investigation and bug report. This is really fascinating a) that it could elude us for so long and b) that it now happens reproducibly... I'll start digging.... |
It's mainly because the changes in 3.0 make it that much easier to end up with a situation such that RAND_bytes() can return 0. Just don't load any providers with DRBGs in them and it will happen. In 1.1.1 that doesn't happen. However RAND_bytes() can still fail for other reasons even in 1.1.1 - but it happens much more rarely. |
After some quick code archaeology, I guess the weird (void-returning) design of the OQS Unless other proposals I are made'll address this issue in such way then. |
I'm not sure I fully understand: Would we have to implement our own DRBG in Anyway, it indeed doesn't happen if the default provider is spec'd, too:
Goodness: This apparently would trigger provider encoder code (if it were properly working...), so now I see a good way forward on open-quantum-safe/oqs-provider#2: Thanks again! |
There needs to be a DRBG available in one of the loaded providers in order for you to be able to get random bytes. I think by default it will try to fetch the DRBG called "DRBG-CTR" unless you override it. We offer two providers that have that DRBG in it: default and fips. Therefore you must have one of those loaded to have random data. As an alternative you could provide your own DRBG - but unless you've got a real need of it I suggest you don't. |
Yes, that's the reason for the API design here. I haven't followed your full discussion above. Certainly we want to use the OpenSSL DRBG rather than our own, unless absolutely necessary. Also certainly we don't want to fail to a case where the function returns without having successfully obtained random bytes. |
Fully agree. This means users of
If I understand this right, the only way to deal with this is with the above-proposed "hard exit" if |
It's too late to change this in NIST's API, but we could change it in OQS, no? We would need to go touch all calls from our algs to handle (propagate) the error, or are you suggesting @baentsch to fail & exit in the rand function directly? It seems the proper behavior is application specific, so propagating the randomness error as a OQS return value would be better, IMO. |
That also was my immediate reaction/preference, but then I counted 453 (!) instances of
I suppose it would be a rare event anyway given how many years it has taken to be discovered. As a compromise, we could retry MAX_RAND_RETRY times but then die (with a clear error message, of course). |
It would be rare in OpenSSL 1.1.1 but, as you discovered, with 3.0 a configuration error can lead to this which may not be that unlikely. |
Another option would be to call |
This would avoid the most common cause of this issue - but it wouldn't fix the underlying problem. |
You're correct, it wouldn't solve the problem completely. |
* fixes #895 * upgrade ubuntu 20 CI * using status/poll pattern to retry
The function
OQS_randombytes_openssl
will call RAND_bytes() in an infinite loop if it fails:liboqs/src/common/rand/rand.c
Lines 114 to 122 in bd4d09d
This is probably not the right behaviour. In some circumstances (for example if the DRBG has failed to seed) this call will never succeed no matter how many times you call it. This is the cause of the hang found here:
openssl/openssl#14069
The text was updated successfully, but these errors were encountered: