ntp_random - please check
kurt at roeckx.be
Sat Jul 7 08:27:18 UTC 2018
On Fri, Jul 06, 2018 at 06:05:49PM -0700, Hal Murray wrote:
> kurt at roeckx.be said:
> > Note that this change in OpenSSL's behaviour to reseed can cause problems for
> > processes that chroot and don't have access to /dev/urandom in the chroot nor
> > have a system call like getentropy() that can be used instead.
> Interesting. Thanks.
> Is that documented someplace we can reference?
*) Modified the random device based seed sources to keep the relevant
file descriptors open rather than reopening them on each access.
This allows such sources to operate in a chroot() jail without
the associated device nodes being available. This behaviour can be
controlled using RAND_keep_random_devices_open().
*) Grand redesign of the OpenSSL random generator
The default RAND method now utilizes an AES-CTR DRBG according to
NIST standard SP 800-90Ar1. The new random generator is essentially
a port of the default random generator from the OpenSSL FIPS 2.0
object module. It is a hybrid deterministic random bit generator
using an AES-CTR bit stream and which seeds and reseeds itself
automatically using trusted system entropy sources.
Some of its new features are:
o Support for multiple DRBG instances with seed chaining.
o Add a public DRBG instance for the default RAND method.
o Add a dedicated DRBG instance for generating long term private keys.
o Make the DRBG instances fork-safe.
o Keep all global DRBG instances on the secure heap if it is enabled.
o Add a DRBG instance to every SSL instance for lock free operation
and to increase unpredictability.
[Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
(I guess I need to change this, the last line is not true
The RAND_keep_random_devices_open manpage can be seen here:
Various applications already ran into problems because of the
reseeding, which is why we now keep it open by default.
You might also want to read:
If you generate random bytes that you don't send to the peer
you might also want to look into using RAND_priv_bytes().
Note that 1.1.1 is not released yet, but it should be "soon".
More information about the devel