1215751 - [CID 1242392] dont_call: rand should not be used for security related applications, as linear congruential algorithms are too easy to break

Status: RESOLVED DUPLICATE of bug 1602379

(NSS :: Libraries, defect, P3)

Description

[Franziskus Kiefer [:franziskus]]

Coverity points out that using rand is not a good idea in security related contexts. While this seems to be used only for Miller-Rabin, one could think this should be ok. But I'm somewhat uneasy with this as it bears the risk that someone might use it for something else (it's called mpp_random after all). Further, using a weak random number generator in MR might lead to wrong results of MR (e.g. the number of distinct random numbers used in the test is too small, i.e. the precision used in MR is probably not given), which would be bad.

Comment 1

[Ryan Sleevi]

Do these reports indicate the line/file? Or is this something that is Mozilla-only?

Comment 2

[Franziskus Kiefer [:franziskus]]

Not sure if you can get access to coverity, but it is about the randomness used here [1].

[1] https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/freebl/mpi/mpprime.c?from=mpp_random#115

Comment 3

[Martin Thomson [:mt:]]

I think that I agree with the general point, even if it is technically safe, there shouldn't be much harm in calling a strong generator for this stuff.  The problem is that we aren't really able to call out to any other function from inside of mpi.

Bob, you know the dependencies and setup better than I.  Can we somehow trick mpprime.c into calling something in freebl without directly teaching mpi about the contents of freebl.  Maybe we could add a void mp_set_rand((int*)(void)) that freebl can call during initialization.  Or is this not worth the effort?  Or, do you not want to pay a performance penalty here?