ntp_random - please check

Kurt Roeckx kurt at roeckx.be
Sat Jul 7 08:27:18 UTC 2018


On Fri, Jul 06, 2018 at 06:05:49PM -0700, Hal Murray wrote:
> 
> kurt at roeckx.be said:
> > Note that this change in OpenSSL's behaviour to reseed can cause problems for
> > processes that chroot and don't have access to /dev/urandom in the chroot nor
> > have a system call like getentropy() that can be used instead. 
> 
> Interesting.  Thanks.
> 
> Is that documented someplace we can reference?

There is
https://github.com/openssl/openssl/blob/master/CHANGES
that has:
  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

And:
  *) Grand redesign of the OpenSSL random generator

     The default RAND method now utilizes an AES-CTR DRBG according to
     NIST standard SP 800-90Ar1. The new random generator is essentially
     a port of the default random generator from the OpenSSL FIPS 2.0
     object module. It is a hybrid deterministic random bit generator
     using an AES-CTR bit stream and which seeds and reseeds itself
     automatically using trusted system entropy sources.

     Some of its new features are:
      o Support for multiple DRBG instances with seed chaining.
      o Add a public DRBG instance for the default RAND method.
      o Add a dedicated DRBG instance for generating long term private keys.
      o Make the DRBG instances fork-safe.
      o Keep all global DRBG instances on the secure heap if it is enabled.
      o Add a DRBG instance to every SSL instance for lock free operation
        and to increase unpredictability.
     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]

(I guess I need to change this, the last line is not true
anymore.)


The RAND_keep_random_devices_open manpage can be seen here:
https://www.openssl.org/docs/manmaster/man3/RAND_keep_random_devices_open.html

Various applications already ran into problems because of the
reseeding, which is why we now keep it open by default.

You might also want to read:
https://www.openssl.org/docs/manmaster/man7/RAND.html

If you generate random bytes that you don't send to the peer
you might also want to look into using RAND_priv_bytes().

Note that 1.1.1 is not released yet, but it should be "soon".


Kurt



More information about the devel mailing list