[Cryptography] OpenSSL not using /dev/random (was: Re: /dev/random is not robust)

[Patrick Pelletier]

On 10/16/13 12:11 PM, Theodore Ts'o wrote:

> On another front, I recently noticed that on my Debian Testing box,
> the openssl librcrypto library is apparently not using /dev/urandom or
> /dev/random by default.  Hence, if you don't have a ~/.rnd file, any
> public/private key pairs that you might generate would have no entropy
> at all!  How did I notice this?  Because I added a kernel trace point
> so I could monitor how much use of /dev/random was being used by
> various userspace progam.  I was originally concerned by overuse of
> /dev/urandom where it wasn't needed, but then I discovered than
> "openssl genrsa" and "ssh-keygen" is apparently not using /dev/urandom
> or /dev/random at all(!!!).
>
> (Fortunatly this does not appear to be the case on Debian Stable, so
> it looks like a recent regression.  Or maybe it's a misconfiguration
> on my end, but (a) I'm getting lost trying to figure out the mazy of
> twisty compile-time and run-time configuration options of OpenSSL,
> complicated by the Debian packaging system, and (b) even if it is
> somehow "my fault", it shouldn't be that easy to have things silently
> fail to have no entropy at all.)

Are you on a machine with the RdRand instruction?  OpenSSL ships with a 
built-in RdRand ENGINE which just uses RdRand and doesn't use OpenSSL's 
random number generator at all.  (And thus needs no entropy.)  Although 
whether this ENGINE gets enabled is a bit tricky, and depends exactly on 
how OpenSSL was initialized.  (A group of us who contribute to the 
OpenSSL wiki have recently been debating the proper sequence of 
functions to call to initialize OpenSSL, and it's not as clear-cut as it 
seems like it ought to be.)

http://wiki.opensslfoundation.com/index.php/Library_Initialization
http://wiki.opensslfoundation.com/index.php/Random_Numbers

But if it's not using RdRand and not reading /dev/[u]random either, then 
this does sound scary indeed.

--Patrick