ntp_random - please check

Kurt Roeckx kurt at roeckx.be
Fri Jul 6 21:03:40 UTC 2018


On Fri, Jul 06, 2018 at 01:27:30PM -0700, Hal Murray via devel wrote:
> Also, it didn't check the return code.  That raises an interesting question.  
> What should we do if there isn't enough entropy?
> 
> How much entropy is there in a typical system?  Can a malicious user use it 
> all up?  Could a busy server run out?

You're actually using OpenSSL to generate those random bits, so it
depends on OpenSSL too.

In OpenSSL 1.1.1 the CSPRNG will actually reseed itself from the
OS by default. It needs to get 256 bits from the OS by default
every hour, or every 2^24 calls, which ever comes first. So that
would mean more than 4660 calls per second to need more than 256
bit / hour of the OS. Any OS really should be able to deliver that
much. And hardware RNGs can actually be pretty cheap and deliver
very high rates.

In older versions it just once reads the 256 bit, and then never
gets new data from the OS.

Note that this change in OpenSSL's behaviour to reseed can cause
problems for processes that chroot and don't have access to
/dev/urandom in the chroot nor have a system call like
getentropy() that can be used instead.


Kurt



More information about the devel mailing list