On Mon, Oct 16, 2017 at 09:33:07AM +0200, Lubomir Rintel wrote:
> According to random(4) manual, /dev/random is essentially deprecated on Linux
> for quite some time:
>
> The /dev/random interface is considered a legacy interface, and
> /dev/urandom is preferred and sufficient in all use cases, with the
> exception of applications which require randomness during early boot time;
> for these applications, getrandom(2) must be used instead, because it will
> block until the entropy pool is initialized.
'man 4 random' on Ubuntu 16.04 does not have such language, so I'm not
sure I'd agree about the "quite some time" part..
> An attempt to use it would cause unnecessary blocking on machines
> without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
> a getrandom(2) call is available that will block only until the
> randomness pool has been seeded.
What unnecessary blocking are you referring to here? /dev/random is
opened in non-blocking mode and more data is fetched from it once it
becomes available. How would getrandom(2) help here?
Please also note that I won't be accepting changes that would
practically move from /dev/random to /dev/urandom pool without very
thorough explanation on how that would not have a negative impact on
security especially as far as key derivation is concerned (this data is
used to generate encryption keys).
There is something odd here:
> diff --git a/hostapd/Makefile b/hostapd/Makefile
> ifdef CONFIG_NO_RANDOM_POOL
> +ifdef CONFIG_GETRANDOM
> +CFLAGS += -DCONFIG_GETRANDOM
> +endif
> CFLAGS += -DCONFIG_NO_RANDOM_POOL
> else
> OBJS += ../src/crypto/random.o
> diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> @@ -1476,6 +1476,9 @@ endif
> ifdef CONFIG_NO_RANDOM_POOL
> CFLAGS += -DCONFIG_NO_RANDOM_POOL
> else
> +ifdef CONFIG_GETRANDOM
> +CFLAGS += -DCONFIG_GETRANDOM
> +endif
> OBJS += ../src/crypto/random.o
> endif
Why would this be different (related to CONFIG_NO_RANDOM_POOL) between
wpa_supplicant and hostapd? Furthermore, Android.mk should likely have
similar changes for both.
> diff --git a/src/crypto/random.c b/src/crypto/random.c
> @@ -229,30 +232,49 @@ int random_pool_ready(void)
> return 1; /* Already initialized - good to continue */
>
> /*
> - * Try to fetch some more data from the kernel high quality
> - * /dev/random. There may not be enough data available at this point,
> + * Try to fetch some more data from the kernel high quality RNG
> + * There may not be enough data available at this point,
> * so use non-blocking read to avoid blocking the application
> * completely.
> */
> - fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
Please note that this is using /dev/random on purpose (i.e., not
/dev/urandom) since the material is used for key derivation..
> +#ifdef CONFIG_GETRANDOM
> + res = getrandom(dummy_key + dummy_key_avail,
> + sizeof(dummy_key) - dummy_key_avail, GRND_NONBLOCK);
While this would default to use the /dev/urandom pool since GRND_RANDOM
is not specified. I don't think this is a good change taken into account
the need for secure enough randomness for key derivation.
> @@ -272,8 +294,8 @@ int random_pool_ready(void)
> return 1;
> }
>
> - wpa_printf(MSG_INFO, "random: Not enough entropy pool available for "
> - "secure operations");
> + wpa_printf(MSG_INFO, "random: Not enough entropy pool available "
> + "from for secure operations");
??
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
