Bug 499453

Summary: QCA seeds the OpenSSL RNG with low-entropy input
Product: [Frameworks and Libraries] qca Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: REPORTED ---    
Severity: normal CC: aacid, bradh, justin
Priority: NOR    
Version First Reported In: Git   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Wolfgang Frisch 2025-02-03 10:26:10 UTC 
SUMMARY

The function `opensslProvider::init()` in `qca-ossl.cpp` attempts to seed
OpenSSL's RNG with 128 bytes of pseudo-random data, generated by the C standard
library's `rand()` function, which in turn is seeded with
`srand(time(nullptr))` [1].  Because `time()` has only one-second resolution,
the resulting generated sequence is easily predictable, and the generated seed
has very low entropy.

This low-entropy seed is then fed to OpenSSL via `RAND_seed()`, violating the
OpenSSL API recommendation [2]. `RAND_seed()` is intended for high-entropy
input only. OpenSSL provides the `RAND_add()` function specifically for
incorporating low-entropy randomness.

While OpenSSL wisely supplements this initial seed with high-quality random
data from the kernel (obtained with the `getrandom()` syscall), mitigating
potential consequences, the current implementation is, at best, ineffective,
and, at worst, weakens OpenSSL's internal RNG.

I suggest replacing the current code with `RAND_poll()`:

> RAND_poll() uses the system's capabilities to seed the random generator using
> random input obtained from polling various trusted entropy sources.


[1] <https://invent.kde.org/libraries/qca/-/blob/b786c71a2bfe47082aff51901fd37195a3da3541/plugins/qca-ossl/qca-ossl.cpp?page=7#L6652>
[2] <https://docs.openssl.org/master/man3/RAND_add/>
Comment 1 Albert Astals Cid 2025-02-03 20:48:59 UTC 
We are in the slow process of phasing out QCA, so unless there is a real real real problem we're not going to touch it much/make new releases

https://invent.kde.org/libraries/qca/-/issues/18
Comment 2 Wolfgang Frisch 2025-02-11 14:14:35 UTC 
(In reply to Albert Astals Cid from comment #1)
> We are in the slow process of phasing out QCA, so unless there is a real
> real real problem we're not going to touch it much/make new releases
> 
> https://invent.kde.org/libraries/qca/-/issues/18

Thanks for the clarification. In that case it doesn't make much sense to pursue this further, since OpenSSL mitigates the problem.