luaossl icon indicating copy to clipboard operation
luaossl copied to clipboard

Published 20 hours ago verified publisher icon wahern

Better fork protection for random bytes

Open daurnimator opened this issue 10 years ago • 3 comments 

static void randL_checkpid(struct randL_state *st) {
    if (st->pid != getpid())
        (void)randL_stir(st, 16);
} /* randL_checkpid() */

^^ This code is currently used to ensure that a forked process will generate different random numbers.

A determined attacker could use pid overflow/wrapping to get the same random number generated more than once.

Related links:

  • https://wiki.openssl.org/index.php/Random_fork-safety
  • https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
  • https://news.ycombinator.com/item?id=8034273 (linked from above)

daurnimator avatar May 29 '15 01:05 daurnimator

On linux, I wonder if the process specific keyring (see keys.txt) could help...

daurnimator avatar May 29 '15 01:05 daurnimator

On Thu, May 28, 2015 at 06:36:37PM -0700, daurnimator wrote:

On linux, I wonder if the process specific keyring (see keys.txt) could help...

pthread_atfork can be used as the baseline.

The key ring capability looks useful. There are no glibc bindings so would need to use syscall.

OpenBSD has a cleaner feature: minherit + MAP_INHERIT_ZERO. Whenever a fork occurs the specificed pages are automatically zeroed out. They added the flag for use in their arc4random implementation.

wahern avatar May 29 '15 17:05 wahern

The key ring capability looks useful. There are no glibc bindings so would need to use syscall.

I created a POC: https://gist.github.com/daurnimator/dfdbaef3c255bdc11531 and a blog post to accompany

The functions are in keyutils.h, you don't need to use the syscall directly

daurnimator avatar Jun 01 '15 04:06 daurnimator