Support for /dev/*random in OpenSSL 1.1.1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Support for /dev/*random in OpenSSL 1.1.1

Michael Brunnbauer

hi all,

I have glibc 2.30 with Kernel 4.9.191 but unfortunately I compiled glibc with
old Kernel headers from Linux 3.16.46. It seems that as a result of this, my
getrandom() and getentropy() are stubs that always fail with ENOSYS. This
leads to:

./util/shlib_wrap.sh apps/openssl rand -hex 10
4145686272:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
...

Fine I thought, supply --with-rand-seed=devrandom to Configure and be done
with it until you can fix your glibc. Nope - same result.

Now I see this in e_os.h:

/*
 * Linux kernels 4.8 and later changes how their random device works and there
 * is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2)
 * should be used instead.
 */
#   ifndef DEVRANDOM_SAFE_KERNEL
#    define DEVRANDOM_SAFE_KERNEL        4, 8
#   endif

So openSSL 1.1.1 will not support /dev/*random with Kernels > 4.8 ?

I can fix the kernel headers before compiling the next release of glibc but
this is some months away.

Is there anything I can do now? I don't like the idea to recompile glibc -
Version upgrades are much easier to deploy than replacing the current version.

Regards,

Michael Brunnbauer

--
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89
++  E-Mail [hidden email]
++  https://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Support for /dev/*random in OpenSSL 1.1.1

Dr Paul Dale
As a temporary workaround, you might try defining __NR_getrandom to the appropriate system call number, although it looks like the extra efforts to get past the other preprocessor check ing rand_unit.c could get ugly.

What about defining your our getrandom function in your application that calls the system call?  The linker should find that before glibc’s.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 12 Sep 2019, at 1:48 am, Michael Brunnbauer <[hidden email]> wrote:


hi all,

I have glibc 2.30 with Kernel 4.9.191 but unfortunately I compiled glibc with
old Kernel headers from Linux 3.16.46. It seems that as a result of this, my
getrandom() and getentropy() are stubs that always fail with ENOSYS. This
leads to:

./util/shlib_wrap.sh apps/openssl rand -hex 10
4145686272:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342:
...

Fine I thought, supply --with-rand-seed=devrandom to Configure and be done
with it until you can fix your glibc. Nope - same result.

Now I see this in e_os.h:

/*
* Linux kernels 4.8 and later changes how their random device works and there
* is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2)
* should be used instead.
*/
#   ifndef DEVRANDOM_SAFE_KERNEL
#    define DEVRANDOM_SAFE_KERNEL        4, 8
#   endif

So openSSL 1.1.1 will not support /dev/*random with Kernels > 4.8 ?

I can fix the kernel headers before compiling the next release of glibc but
this is some months away.

Is there anything I can do now? I don't like the idea to recompile glibc -
Version upgrades are much easier to deploy than replacing the current version.

Regards,

Michael Brunnbauer

--
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89
++  [hidden email]
++  https://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel