New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix & update documentation about RAND_priv_bytes() #6514
Conversation
At first look this all looks fine. |
doc/man3/BN_rand.pod
Outdated
same difference between RAND_bytes() and RAND_priv_bytes(). | ||
|
||
The PRNG must be seeded prior to calling BN_rand(), BN_rand_range(), | ||
BN_priv_rand(), or BN_priv_rand_range(). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kroeckx Is the above paragraph still relevant? Or does it come from pre-1.1.0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I know, since 1.1.0 we will try to initialize on first use. So this is not relevant for those versions. But only 1.1.1 has the priv functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RAND_bytes has a comment about generating an error when it's not seeded. I wonder if we should add something like that here too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. "make doc-nits" will find many errors BTW.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just one nit, which does not need to be fixed.
doc/man3/BN_rand.pod
Outdated
@@ -37,7 +43,13 @@ If B<bits> is 1 then B<top> cannot also be B<BN_RAND_FLG_TOPTWO>. | |||
BN_rand_range() generates a cryptographically strong pseudo-random | |||
number B<rnd> in the range 0 E<lt>= B<rnd> E<lt> B<range>. | |||
|
|||
The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). | |||
BN_priv_rand() and BN_priv_rand_range() have, respectively, the same |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe move ",respectively" to the end? (that saves a comma.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mspncp I'll fix it right away, thanks for the feedback!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mspncp done!
@richsalz about Could you please elaborate a bit on how to use it so that I can be more effective in improving the documentation in the future? |
I think, Rich's remark about |
You should probably add a HISTORY section saying that the priv functions were added in 1.1.1 |
doc/man3/RAND_bytes.pod
Outdated
be used for generating values that should remain private. If using the | ||
default RAND_METHOD, this function uses a separate instance of the PRNG | ||
so that a compromise of the global generator will not affect the secrecy | ||
of such values. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really the "global generator" anymore? Perhaps "a compromise of the PRNG used for public-facing values will not affect the secrecy of values from the private generator"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about the following formulation?
... this function uses a separate "private" PRNG instance so that a
compromise of the "public" PRNG instance will not affect the
secrecy of these private values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mspncp sounds good to me, but I completely lack knowledge and understanding about the DRBG craziness ( 😃 ) to evaluate how accurately this reflects the default RAND_METHOD internals!
So I'll defer to a Battle Royale among you wise PRNG experts to determine what the final formulation should be!! 😆
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See man RAND_DRBG(7) for a nice ascii art picture :-).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The image looks a bit distorted in my browser, but not on the console.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's very nice!! I should check Section 7 more often, there is a lot of cool stuff there!
I will squash this commit once we reach consensus - Update sentence on PRNG seeding requirement leftover from 1.0.2 @kroeckx, openssl#6514 (comment) openssl#6514 (comment) - Add history entry about BN_priv_rand and BN_priv_rand_range @kroeckx, openssl#6514 (comment) - Rephrase "global generator" in RAND_priv_bytes() doc @kaduk, openssl#6514 (comment) - Add history entry about RAND_priv_bytes() @kroeckx, openssl#6514 (comment)
I will squash this and previous commits into a single one once we reach consensus.
@richsalz the 1.1.0 label is misplaced |
Does not apply to |
You don't need to do the squashing, I can do it in the final merge. For larger pull requests, it is in fact the preferred way that squashing is done by the reviewer who merges, unless there are conflicts to be resolved or you want to reword your commit message. We try to avoid force-pushing after approval, since formally, after squashing and force-pushing, the entire change set needs to be revisited. For a small pull request like yours it would be acceptable if you prefer to squash it yourself, but it is not necessary to do it. |
Note: when I suggested the alternative formulation I wasn't aware that you had already addressed @kaduk's comment. So your pr is fine for me the way it is. (Sorry, no battle royale ;-). ) I will give @kaduk a few more hours to respond and will merge after that with the current three approvals if nobody shows up. |
In 509cdce , I updated the wording according to @mspncp suggestion in #6514 (comment), reformatted the history sections to use lists, and edited RAND.7 as it had a similar section about "long-term secrets". Finally I sprinkled links to RAND.7 and RAND_DRBG.7 in RAND_bytes.3 and BN_rand.3: those section 7 manpages are so useful and beautiful they deserve to be as reachable as possible!! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conflict between RAND.7 and RAND_bytes.3
doc/man3/BN_rand.pod
Outdated
|
||
An error occurs in the underlying B<RAND> functions if the CSPRNG has | ||
not been seeded with enough randomness to ensure an unpredictable byte | ||
sequence. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mirrored the note contained in RAND_bytes.3 for
An error occurs in the underlying B functions if the CSPRNG has not been seeded with enough randomness to ensure an unpredictable byte sequence.
Reading RAND.7, to me it seems that this, and the original note, are in conflict to the following statement:
The default random generator will initialize automatically on first use and will be fully functional without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system.
- Should I remove the above note?
- What about the one in RAND_bytes.3?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, silly me, rereading it they are not in conflict. It's just remarking about the fact that whenever randomness is requested through one of those functions, the developer should always check for errors in case there wasn't enough randomness.
I would rephrase this note and the one in RAND_bytes.3 just to make the message about checking the return value more explicit for this reason!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this going to become something bigger? Then you might want to consider one of the following two options:
-
Add "WIP:" to the beginning of the pull request title so we see it is work-in-progress and will make useful comments but not attempt a formal review. (As long as it is WIP, you are free to squash and reorganize as you like)
-
Keep this pull request limited to RAND_priv_bytes() only and create a new WIP pull request (which can even be based on this branch initially) for all the new ideas you came up with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it's pretty much done now, when I opened it it was limited only to BN_priv_rand()
and RAND_priv_bytes()
, it was only after the feedback on RAND(7)
and RAND_DRBG(7)
that I noticed that also RAND(7)
needed updating, because it had the same notice note on "long-term secrets" rather than "any private value".
Commit d246d50 too is just an improvement on some feedback I received in this PR, about including a note about errors when the CSPRNG does not have enough entropy: upon reading RAND(7)
I initially misinterpreted the intention of the note when compared with the note in RAND(7)
about automatic initialization and reseeding: when I (5 minutes later) realized that the note on RAND_bytes(3)
was to remind API users to always check for the error return value, I made that more explicit so that other silly users like me don't fall in the same trap!
No no, I just wanted to say that there is no need to address my commit. You pushed after my comment, did you? Or did I overlook your commit? I will have a look at your newest changes. |
Yep, you commented before I pushed, but I was unaware of your newest comment when I pushed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
doc/man7/RAND.pod
Outdated
@@ -64,7 +67,7 @@ L<RAND_priv_bytes(3)>, | |||
L<RAND_get_rand_method(3)> | |||
L<RAND_set_rand_method(3)> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you're at it, would you mind adding two missing commas here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with the reworded formulation, thanks!
(There is also no need to address the indicated nits inline before merging.)
doc/man3/BN_rand.pod
Outdated
|
||
=head1 NOTES | ||
|
||
Always check the error return value of these functions and don't take |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some man page style guidelines say to avoid contractions, though I forget if that's something we've actually adopted for OpenSSL.
doc/man3/RAND_bytes.pod
Outdated
=head1 NOTES | ||
|
||
Always check the error return value of RAND_bytes() and | ||
RAND_priv_bytes() and don't take randomness for granted: an error occurs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(same here)
doc/man7/RAND.pod
Outdated
in order to reveal as little information as possible about its internal state. | ||
The intention behind using a dedicated CSPRNG exclusively for private | ||
values is that none of its output should be visible to an attacker (e.g | ||
used as salt value), in order to reveal as little information as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some grammar pedants will insist upon offsetting things like "i.e." and "e.g." with commas (or parentheses) both before and after.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"e.g." was missing the trailing point anyway, so I went ahead and also applied the "avoid contractions" suggestion.
Thanks @kaduk for spotting it!
I noticed that the e.g. in was missing the trailing point anyway, so I went ahead and also committed the "avoid contractions" suggestion.
Reconfirm, this is ready to merge. |
Well then, let's go ;-) |
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from #6514)
Merge, thank you very much! (Travis failure was unrelated) |
@richsalz are you complaining I talk too much???? 😛 Anyway, thank you all, I learned a lot by working on this PR and especially from all your feedback! |
No, he is teasing me that I'm being too pedantic ;-) |
No, I'm thanking everyone for sticking with this, even though it became much bigger then I think we all first thought it would be. |
Stemming from #6501 (comment) this PR updates the documentation about
RAND_priv_bytes()
and then adds missing documentation aboutBN_priv_rand()
andBN_priv_rand_range()
:Pinging @kroeckx , @richsalz and @mspncp for comments: bear in mind that I'm not entirely familiar with pod syntax, so please double check for newbie errors!