[qca] [Bug 499453] New: QCA seeds the OpenSSL RNG with low-entropy input
Wolfgang Frisch
bugzilla_noreply at kde.org
Mon Feb 3 10:26:10 GMT 2025
https://bugs.kde.org/show_bug.cgi?id=499453
Bug ID: 499453
Summary: QCA seeds the OpenSSL RNG with low-entropy input
Classification: Frameworks and Libraries
Product: qca
Version: Git
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: unassigned-bugs at kde.org
Reporter: wolfgang.frisch at suse.com
CC: aacid at kde.org, bradh at frogmouth.net,
justin at karneges.com
Target Milestone: ---
SUMMARY
The function `opensslProvider::init()` in `qca-ossl.cpp` attempts to seed
OpenSSL's RNG with 128 bytes of pseudo-random data, generated by the C standard
library's `rand()` function, which in turn is seeded with
`srand(time(nullptr))` [1]. Because `time()` has only one-second resolution,
the resulting generated sequence is easily predictable, and the generated seed
has very low entropy.
This low-entropy seed is then fed to OpenSSL via `RAND_seed()`, violating the
OpenSSL API recommendation [2]. `RAND_seed()` is intended for high-entropy
input only. OpenSSL provides the `RAND_add()` function specifically for
incorporating low-entropy randomness.
While OpenSSL wisely supplements this initial seed with high-quality random
data from the kernel (obtained with the `getrandom()` syscall), mitigating
potential consequences, the current implementation is, at best, ineffective,
and, at worst, weakens OpenSSL's internal RNG.
I suggest replacing the current code with `RAND_poll()`:
> RAND_poll() uses the system's capabilities to seed the random generator using
> random input obtained from polling various trusted entropy sources.
[1]
<https://invent.kde.org/libraries/qca/-/blob/b786c71a2bfe47082aff51901fd37195a3da3541/plugins/qca-ossl/qca-ossl.cpp?page=7#L6652>
[2] <https://docs.openssl.org/master/man3/RAND_add/>
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Unassigned-bugs
mailing list